[Date Prev][Date Next] [Chronological] [Thread] [Top]

AttributeDescription contains inappropriate characters

We are running OpenLDAP 2.2.15 (installed from source) on RHES3 and are
getting "AttributeDescription contains inappropriate characters" whenever
one of our applications tries to do a certain query.

The general flow is this:

1. Query if user account exists.
2. Do a bind().
3. Check group membership.

Here is the '-d -1' output when the error occurs:

...
ldap_err2string
<= ldap_dn2bv(cn=xx,ou=groups,dc=example,dc=com)=0 Success
<<< dnPrettyNormal: <cn=XX,ou=Groups,dc=example,dc=com>,
<cn=xx,ou=groups,dc=example,dc=com>
send_ldap_result: conn=1 op=1 p=3
send_ldap_result: err=17 matched="" text="AttributeDescription contains
inappropriate characters"
send_ldap_response: msgid=2 tag=111 err=17
ber_flush: 68 bytes to sd 14
  0000:  30 42 02 01 02 6f 3d 0a  01 11 04 00 04 36 41 74   0B...o=......6At
  0010:  74 72 69 62 75 74 65 44  65 73 63 72 69 70 74 69   tributeDescripti
  0020:  6f 6e 20 63 6f 6e 74 61  69 6e 73 20 69 6e 61 70   on contains inap
  0030:  70 72 6f 70 72 69 61 74  65 20 63 68 61 72 61 63   propriate charac
  0040:  74 65 72 73                                        ters
ldap_write: want=68, written=68
  0000:  30 42 02 01 02 6f 3d 0a  01 11 04 00 04 36 41 74   0B...o=......6At
  0010:  74 72 69 62 75 74 65 44  65 73 63 72 69 70 74 69   tributeDescripti
  0020:  6f 6e 20 63 6f 6e 74 61  69 6e 73 20 69 6e 61 70   on contains inap
  0030:  70 72 6f 70 72 69 61 74  65 20 63 68 61 72 61 63   propriate charac
  0040:  74 65 72 73                                        ters
conn=1 op=1 RESULT tag=111 err=17 text=AttributeDescription contains
inappropriate characters
...

I found that this error is generated by servers/slapd/ad.c in two places:

openldap-2.2.15/servers/slapd/ad.c:slap_bv2ad()

        /* make sure description is IA5 */
        if( ad_keystring( bv ) ) {
                *text = "AttributeDescription contains inappropriate
characters";
                return rtn;
        }

openldap-2.2.15/servers/slapd/ad.c:slap_bv2undef_ad()

        /* make sure description is IA5 */
        if( ad_keystring( bv ) ) {
                *text = "AttributeDescription contains inappropriate
characters";
                return LDAP_UNDEFINED_TYPE;
        }

The variable bv (struct berval) is passed to both functions.

What I can't tell from the debug output is what is CAUSING bv to not be
valid. Is the LDAP client sending a query with a bad string? I don't see
that in the debug output. Could there be something wrong with a schema file?

By the way, the group is groupOfUniqueNames:

# XX, Groups, example.com
dn: cn=XX,ou=Groups,dc=example,dc=com
cn: XX
uniqueMember: uid=someuser,ou=Accounts,dc=example,dc=com
objectClass: groupOfUniqueNames
objectClass: top

And uid=someuser,ou=Accounts,dc=example,dc=com is:

# someuser, Accounts, example.com
dn: uid=someuser,ou=Accounts,dc=example,dc=com
uid: someuser
userPassword:: xxxxxx
objectClass: top
objectClass: account
objectClass: simpleSecurityObject

We have stopped using ACL's for now while testing.