Re: nisNetgroupTriple trouble

[Ryan Lovett <ryan@stat.Berkeley.EDU>]

On Sat, Apr 07, 2007 at 12:48:55AM -0700, Howard Chu wrote:
> Ryan Lovett wrote:
> >I turned up the logging on the OpenLDAP server and spotted several
> >instances of:
> >
> >get_ava: illegal value for attributeType nisNetgroupTriple
> >
> >I've looked over RFC 2307 and the values stored in OpenLDAP seem to be
> >consistent with the defined syntax. Additionally, the server did not object
> >when I inserted the data so I don't know why there is a problem when
> >reading it.
> 
> Most likely this error message is reporting the wrong thing. In fact 
> there is no equality matching rule for the nisNetgroupTriple 
> attributetype, so it cannot be used in a search filter.
 
Thanks for your feedback. Given your information I searched a bit more and
found this post:

http://osdir.com/ml/ldap.padl.nss/2005-02/msg00004.html

where someone changed the attributetype from

   attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
        DESC 'Netgroup triple'
        SYNTAX 1.3.6.1.1.1.0.0 )

to

   attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
        DESC 'Netgroup triple'
        EQUALITY caseExactIA5Match
        SUBSTR caseExactIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

This quieted the get_ava message and solved my problem where the client
wasn't able to lookup the netgroup data. Apparently this has also helped a
few other people with Solaris clients:

http://www.openldap.org/lists/openldap-software/200402/msg00584.html
http://sapiens.wustl.edu/~sysmain/info/openldap/schemas/nis.schema
http://www.archivesat.com/OpenLDAP_bugs/thread1581049.htm

I'm mentioning these reports in case it helps other people.

Regards,
Ryan