[Date Prev][Date Next] [Chronological] [Thread] [Top]

Openldap allows to break schema (and doesn't start ever after)

To: openldap-technical@openldap.org
Subject: Openldap allows to break schema (and doesn't start ever after)
From: Daniel Fenert <daniel@fenert.pl>
Date: Mon, 21 Mar 2016 15:37:58 +0100
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0

Hi, 

I've accidentally broken my openldap schema when I've changed one of 
objectClass definitions. For example I have two objectClasses and one is 
a parent for second:

olcObjectClasses: {0}( 1.2.3.4 NAME 'foo' DESC '' SUP top AUXILIARY 
X-ORIGIN 'user defined' )
olcObjectClasses: {1}( 1.2.3.5 NAME 'bar' DESC '' SUP foo AUXILIARY 
X-ORIGIN 'user defined' )

I've changed definition of foo - I've delete this object and (my 
mistake) put it without any number at bottom of all classes:

dn: cn=config
changetype: modify
delete: olcObjectClasses
olcObjectClasses: {0}
-
add: olcObjectClasses
olcObjectClasses: ( 1.2.3.4 NAME 'foo' DESC '' SUP top AUXILIARY 
X-ORIGIN 'user defined' )

So now I have class bar at top of schema and foo at bottom. After 
restart slapd won't start. Slapcat says:

56d4678f olcObjectClasses: value #5 olcObjectClasses: ObjectClass not 
found: "foo"
56d4678f config error processing cn=config: olcObjectClasses: 
ObjectClass not found: "foo"
slapcat: bad configuration file!

I know that is my mistake, but I think openldap shouldn't allow to make something that 
could break schema. 
I think that there are should constraints that do not allow to remove objectClass 
which is parent for another class.

Is it a known bug, or anyone has stumbled upon this and has a solution to start slapd afterwards?

-- 
Daniel Fenert

Prev by Date: Re: how to provide a way to user to change their password
Next by Date: Safely Allow Users to Write self Attributes
Index(es):
- Chronological
- Thread