PR#50934: Ticket 50933 - rfc2307compat.ldif - 389-ds-base

389-ds-base

#50934 Ticket 50933 - rfc2307compat.ldif

Closed 3 years ago by spichugi. Opened 4 years ago by firstyear.

firstyear/389-ds-base 50933-rfc2307-compat into master

Ticket 50933 - rfc2307compat.ldif

William Brown • 4 years ago

0683bcd

Makefile.am

file modified

+2 -1

		`@@ -705,6 +705,7 @@`
		`$(srcdir)/ldap/servers/slapd/tools/rsearch/scripts/dbgen-FamilyNames \`
		`$(srcdir)/ldap/servers/slapd/tools/rsearch/scripts/dbgen-GivenNames \`
		`$(srcdir)/ldap/servers/slapd/tools/rsearch/scripts/dbgen-OrgUnits \`
		`+ $(srcdir)/ldap/schema/10rfc2307.ldif \`
		`$(srcdir)/ldap/schema/10rfc2307bis.ldif \`
		`$(srcdir)/ldap/schema/60changelog.ldif \`
		`$(srcdir)/ldap/schema/60inetmail.ldif \`
		`@@ -729,7 +730,7 @@`
		`$(srcdir)/ldap/schema/10automember-plugin.ldif \`
		`$(srcdir)/ldap/schema/10dna-plugin.ldif \`
		`$(srcdir)/ldap/schema/10mep-plugin.ldif \`
		`- $(srcdir)/ldap/schema/10rfc2307.ldif \`
		`+ $(srcdir)/ldap/schema/10rfc2307compat.ldif \`
		`$(srcdir)/ldap/schema/20subscriber.ldif \`
		`$(srcdir)/ldap/schema/25java-object.ldif \`
		`$(srcdir)/ldap/schema/28pilot.ldif \`

ldap/schema/10rfc2307compat.ldif

file added

+353

		`@@ -0,0 +1,353 @@`
		`+ # New and improved RFC 2307 schema that is forward compatable between`
		`+ # rfc2307 and rfc2307bis (aka RFC 2307 compat)`
		`+ # "An Approach for Using LDAP as a Network Information Service"`
		`+ #`
		`+ dn: cn=schema`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.0 NAME 'uidNumber'`
		`+ DESC 'An integer uniquely identifying a user in an administrative domain'`
		`+ EQUALITY integerMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.1 NAME 'gidNumber'`
		`+ DESC 'An integer uniquely identifying a group in an`
		`+ administrative domain'`
		`+ EQUALITY integerMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.2 NAME 'gecos'`
		`+ DESC 'The GECOS field; the common name'`
		`+ EQUALITY caseIgnoreIA5Match`
		`+ SUBSTR caseIgnoreIA5SubstringsMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.3 NAME 'homeDirectory'`
		`+ DESC 'The absolute path to the home directory'`
		`+ EQUALITY caseExactIA5Match`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.4 NAME 'loginShell'`
		`+ DESC 'The path to the login shell'`
		`+ EQUALITY caseExactIA5Match`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'`
		`+ EQUALITY integerMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.6 NAME 'shadowMin'`
		`+ EQUALITY integerMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.7 NAME 'shadowMax'`
		`+ EQUALITY integerMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.8 NAME 'shadowWarning'`
		`+ EQUALITY integerMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.9 NAME 'shadowInactive'`
		`+ EQUALITY integerMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.10 NAME 'shadowExpire'`
		`+ EQUALITY integerMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.11 NAME 'shadowFlag'`
		`+ EQUALITY integerMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.12 NAME 'memberUid'`
		`+ EQUALITY caseExactIA5Match`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'`
		`+ EQUALITY caseExactIA5Match`
		`+ SUBSTR caseExactIA5SubstringsMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'`
		`+ DESC 'Netgroup triple'`
		`+ EQUALITY caseIgnoreIA5Match`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.15 NAME 'ipServicePort'`
		`+ DESC 'Service port number'`
		`+ EQUALITY integerMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol'`
		`+ DESC 'Service protocol name'`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber'`
		`+ DESC 'IP protocol number'`
		`+ EQUALITY integerMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber'`
		`+ DESC 'ONC RPC number'`
		`+ EQUALITY integerMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'`
		`+ DESC 'IPv4 addresses as a dotted decimal omitting leading`
		`+ zeros or IPv6 addresses as defined in RFC2373'`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber'`
		`+ DESC 'IP network as a dotted decimal, eg. 192.168,`
		`+ omitting leading zeros'`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber'`
		`+ DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0,`
		`+ omitting leading zeros'`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.22 NAME 'macAddress'`
		`+ DESC 'MAC address in maximal, colon separated hex`
		`+ notation, eg. 00:00:92:90:ee:e2'`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.23 NAME 'bootParameter'`
		`+ DESC 'rpc.bootparamd parameter'`
		`+ EQUALITY caseExactIA5Match`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.24 NAME 'bootFile'`
		`+ DESC 'Boot image name'`
		`+ EQUALITY caseExactIA5Match`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.26 NAME 'nisMapName'`
		`+ DESC 'Name of a A generic NIS map'`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'`
		`+ DESC 'A generic NIS entry'`
		`+ EQUALITY caseExactIA5Match`
		`+ SUBSTR caseExactIA5SubstringsMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.28 NAME 'nisPublicKey'`
		`+ DESC 'NIS public key'`
		`+ EQUALITY octetStringMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.29 NAME 'nisSecretKey'`
		`+ DESC 'NIS secret key'`
		`+ EQUALITY octetStringMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.30 NAME 'nisDomain'`
		`+ DESC 'NIS domain'`
		`+ EQUALITY caseIgnoreIA5Match`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.31 NAME 'automountMapName'`
		`+ DESC 'automount Map Name'`
		`+ EQUALITY caseExactIA5Match`
		`+ SUBSTR caseExactIA5SubstringsMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.32 NAME 'automountKey'`
		`+ DESC 'Automount Key value'`
		`+ EQUALITY caseExactIA5Match`
		`+ SUBSTR caseExactIA5SubstringsMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
		`+ SINGLE-VALUE`
		`+ )`
		`+ attributeTypes: (`
		`+ 1.3.6.1.1.1.1.33 NAME 'automountInformation'`
		`+ DESC 'Automount information'`
		`+ EQUALITY caseExactIA5Match`
		`+ SUBSTR caseExactIA5SubstringsMatch`
		`+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
		`+ SINGLE-VALUE`
		`+ )`
		`+ # end of attribute types - beginning of objectclasses`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY`
		`+ DESC 'Abstraction of an account with POSIX attributes'`
		`+ MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )`
		`+ MAY ( userPassword $ loginShell $ gecos $`
		`+ description )`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY`
		`+ DESC 'Additional attributes for shadow passwords'`
		`+ MUST uid`
		`+ MAY ( userPassword $ description $`
		`+ shadowLastChange $ shadowMin $ shadowMax $`
		`+ shadowWarning $ shadowInactive $`
		`+ shadowExpire $ shadowFlag )`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY`
		`+ DESC 'Abstraction of a group of accounts. Change from`
		`+ rfc2307bis -> +MAY cn'`
		`+ MUST gidNumber`
		`+ MAY ( cn $ userPassword $ memberUid $`
		`+ description )`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL`
		`+ DESC 'Abstraction an Internet Protocol service.`
		`+ Maps an IP port and protocol (such as tcp or udp)`
		`+ to one or more names; the distinguished value of`
		`+ the cn attribute denotes the services canonical`
		`+ name'`
		`+ MUST ( cn $ ipServicePort $ ipServiceProtocol )`
		`+ MAY description`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL`
		`+ DESC 'Abstraction of an IP protocol. Maps a protocol number`
		`+ to one or more names. The distinguished value of the cn`
		`+ attribute denotes the protocols canonical name'`
		`+ MUST ( cn $ ipProtocolNumber )`
		`+ MAY description`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL`
		`+ DESC 'Abstraction of an Open Network Computing (ONC)`
		`+ [RFC1057] Remote Procedure Call (RPC) binding.`
		`+ This class maps an ONC RPC number to a name.`
		`+ The distinguished value of the cn attribute denotes`
		`+ the RPC services canonical name'`
		`+ MUST ( cn $ oncRpcNumber )`
		`+ MAY description`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY`
		`+ DESC 'Abstraction of a host, an IP device. The distinguished`
		`+ value of the cn attribute denotes the hosts canonical`
		`+ name. Device SHOULD be used as a structural class.`
		`+ Change from rfc2307bis -> +MAY o $ ou $ owner $ seeAlso`
		`+ $ serialNumber'`
		`+ MUST ( cn $ ipHostNumber )`
		`+ MAY ( userPassword $ l $ description $ manager $ o $ ou $ owner $ seeAlso $ serialNumber )`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL`
		`+ DESC 'Abstraction of a network. The distinguished value of`
		`+ the cn attribute denotes the networks canonical name'`
		`+ MUST ipNetworkNumber`
		`+ MAY ( cn $ ipNetmaskNumber $ l $ description $ manager )`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL`
		`+ DESC 'Abstraction of a netgroup. May refer to other netgroups'`
		`+ MUST cn`
		`+ MAY ( nisNetgroupTriple $ memberNisNetgroup $ description )`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL`
		`+ DESC 'A generic abstraction of a NIS map'`
		`+ MUST nisMapName`
		`+ MAY description`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL`
		`+ DESC 'An entry in a NIS map'`
		`+ MUST ( cn $ nisMapEntry $ nisMapName )`
		`+ MAY description`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY`
		`+ DESC 'A device with a MAC address; device SHOULD be`
		`+ used as a structural class. Change from rfc2307bis`
		`+ -> +MAY cn $ description $ l $ o $ ou $ owner $`
		`+ seeAlso $ serialNumber'`
		`+ MAY ( macAddress $ cn $ description $ l $ o $ ou $ owner $ seeAlso $ serialNumber )`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY`
		`+ DESC 'A device with boot parameters; device SHOULD be`
		`+ used as a structural class. Change from rfc2307bis`
		`+ -> +MAY cn $ description $ l $ o $ ou $ owner $`
		`+ seeAlso $ serialNumber'`
		`+ MAY ( bootFile $ bootParameter $ cn $ description $ l $ o $ ou $ owner $ seeAlso $ serialNumber )`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY`
		`+ DESC 'An object with a public and secret key'`
		`+ MUST ( cn $ nisPublicKey $ nisSecretKey )`
		`+ MAY ( uidNumber $ description )`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY`
		`+ DESC 'Associates a NIS domain with a naming context'`
		`+ MUST nisDomain`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL`
		`+ MUST ( automountMapName )`
		`+ MAY description`
		`+ )`
		`+ objectClasses: (`
		`+ 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL`
		`+ DESC 'Automount information'`
		`+ MUST ( automountKey $ automountInformation )`
		`+ MAY description`
		`+ )`
		`+ ## namedObject is needed for groups without members`
		`+ objectClasses: (`
		`+ 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top STRUCTURAL`
		`+ MAY cn`
		`+ )`

firstyear commented 4 years ago

Bug Description: rfc2307 is the original schema for posix and other related
attributes. rfc2307bis was a draft propsed by a member of the openldap team
that fixed a number of deficiencies in rfc2307. However, rfc2307bis is not
completely forward compatible - replacing them may introduce possible data
errors or other subtle issues.

In the interest of allowing easier openldap to 389 migrations
( https://pagure.io/389-ds-base/issue/50544 ) I propose a rfc2307compat,
which is a forward compatible version combining rfc2307 and rfc2307bis. This
would allow items from both to be considered "valid' without changing the
semantics of either.

Fix Description: This adds rfc2307compat.ldif, which is a forward compatabile
expression of both rfc2307 and rfc2307bis, with the knowledge that 389 ds
does not enforce structural/auxillary rules.

https://pagure.io/389-ds-base/issue/50933

Author: William Brown william@blackhats.net.au

Review by: ???

firstyear commented 4 years ago

> diff -u ldap/schema/10rfc2307bis.ldif ldap/schema/10rfc2307compat.ldif
--- ldap/schema/10rfc2307bis.ldif   2018-12-30 09:52:58.000000000 +1000
+++ ldap/schema/10rfc2307compat.ldif    2020-03-05 14:49:27.000000000 +1000
@@ -1,6 +1,6 @@
-# New and improved RFC 2307 schema (aka RFC 2307 bis)
+# New and improved RFC 2307 schema that is forward compatable between
+# rfc2307 and rfc2307bis (aka RFC 2307 compat)
 #      "An Approach for Using LDAP as a Network Information Service"
-# This schema has not yet been approved.
 #
 dn: cn=schema
 attributeTypes: (
@@ -241,9 +241,9 @@
   )
 objectClasses: (
   1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
-  DESC 'Abstraction of a group of accounts'
+  DESC 'Abstraction of a group of accounts - +MAY cn'
   MUST gidNumber
-  MAY ( userPassword $ memberUid $
+  MAY ( cn $ userPassword $ memberUid $
         description )
   )
 objectClasses: (
@@ -278,9 +278,10 @@
   1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY
   DESC 'Abstraction of a host, an IP device. The distinguished
         value of the cn attribute denotes the hosts canonical
-        name. Device SHOULD be used as a structural class'
+        name. Device SHOULD be used as a structural class.
+        +MAY o $ ou $ owner $ seeAlso $ serialNumber'
   MUST ( cn $ ipHostNumber )
-  MAY ( userPassword $ l $ description $ manager )
+  MAY ( userPassword $ l $ description $ manager $ o $ ou $ owner $ seeAlso $ serialNumber )
   )
 objectClasses: (
   1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
@@ -310,14 +311,16 @@
 objectClasses: (
   1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY
   DESC 'A device with a MAC address; device SHOULD be
-        used as a structural class'
-  MAY macAddress
+        used as a structural class. +MAY cn $ description $
+        l $ o $ ou $ owner $ seeAlso $ serialNumber'
+  MAY ( macAddress $ cn $ description $ l $ o $ ou $ owner $ seeAlso $ serialNumber )
   )
 objectClasses: (
   1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY
   DESC 'A device with boot parameters; device SHOULD be
-        used as a structural class'
-  MAY ( bootFile $ bootParameter )
+        used as a structural class. +MAY cn $ description $
+        l $ o $ ou $ owner $ seeAlso $ serialNumber'
+  MAY ( bootFile $ bootParameter $ cn $ description $ l $ o $ ou $ owner $ seeAlso $ serialNumber )
   )
 objectClasses: (
   1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY

abbra commented on line 245 of ldap/schema/10rfc2307compat.ldif 4 years ago

Is the '- +MAY cn' part an oversight or intended part of the description?

abbra commented 4 years ago

If that's intended, it is just a bit confusing as there is no explanation in the commit message about these markers.

firstyear commented 4 years ago

They are intended in the description to indicate how this diverges from rfc2307bis, but since they caused confusion, I need to make that clearer!

rebased onto 97a23705e619d1e5f26dce76ba83fab08d99c8c9

4 years ago

firstyear commented 4 years ago

Updated to improve clarity of the description.

tbordaz commented on line 22 of ldap/schema/10rfc2307compat.ldif 4 years ago

gecos is not compatible. It is directoryString in 2307 and become IA5 in 2307bis. It should not be part of this compat file

tbordaz commented on line 99 of ldap/schema/10rfc2307compat.ldif 4 years ago

I have a doubt with nisNetgroupTriple. It goes from IA5 syntax to caseIgnoreIA5Match.
I think it should be possible to have an entry with values like 'FOO' and 'foo', that were different and are equal now.

tbordaz commented on line 111 of ldap/schema/10rfc2307compat.ldif 4 years ago

similar doubt (ipServiceProtocol). It goes to dirstring syntax to caseIgnore (inherited from name).
Wonder if 'FOO' and 'foo' values are now equal

Edited 4 years ago by tbordaz

tbordaz commented on line 131 of ldap/schema/10rfc2307compat.ldif 4 years ago

same as above (ipHostNumber)

tbordaz commented on line 137 of ldap/schema/10rfc2307compat.ldif 4 years ago

same as above (ipNetworkNumber)

tbordaz commented on line 144 of ldap/schema/10rfc2307compat.ldif 4 years ago

Same as above (ipNetmaskNumber)

tbordaz commented on line 153 of ldap/schema/10rfc2307compat.ldif 4 years ago

same as above (macAddress)

tbordaz commented on line 171 of ldap/schema/10rfc2307compat.ldif 4 years ago

same as above (nisMapName)

tbordaz commented on line 246 of ldap/schema/10rfc2307compat.ldif 4 years ago

This change worth a test that new posixGroup will be replicated.
In theory the new definition is a superset of the old one, so it should be replicated

firstyear commented 4 years ago

Good spotting, I'll fix these syntaxes up. I think leaving them as directoryString may be safer since it's a broader set of characters.

firstyear commented 4 years ago

Also some quick research shows that nisnetgroups ARE case sensitive so I don't know why they were made insensitive in rfc2307bis ....

firstyear commented 4 years ago

Anyway, Ithink you are right about these, so I have cleaned this up after reviewing my own rfc2307 and rfc2307bis diff.

rebased onto 73e373eb4efcfdb419c929ed538597b2e34e3fb9

4 years ago

firstyear commented 4 years ago

@tbordaz ping to review this :)

tbordaz commented 4 years ago

I still think there are problems for

ipServiceProtocol, ipHostNumber, ipNetworkNumber, nisMapName (dirstring exact case to dirstring ignore case (inherited from name)), could you specify matching syntax/MR )

ipNetmaskNumber, macAddress (dirstring exact case to IA5 ignore case could you specify the MR)

firstyear commented 4 years ago

Honestly, I feel a bit silly with those, I swear you pointed them out before, and I remember fixing them but apparently not. :)

Please forgive me taking your precious time on silly mistakes!

firstyear commented 4 years ago

HAHAHAH you know what I did ... I fixed them in 10rfc2307bis.ldif not 10rfc2307compat.ldif >.<

Time to check to make sure the commit is sane then ....

rebased onto 004e78ee4ec19f8b82de0776886764aa6de02fcd

4 years ago

firstyear commented 4 years ago

Okay, thank you again @tbordaz for the review, and thanks for your patience - I have checked properly and I edited the correct file this time!

tbordaz commented on line 146 of ldap/schema/10rfc2307compat.ldif 4 years ago

I think we should not specify caseIgnore (just remove equality MR).

tbordaz commented on line 154 of ldap/schema/10rfc2307compat.ldif 4 years ago

idem as above.

tbordaz commented 4 years ago

Except definition eq=caseIgnoreIA5Match for ipNetmaskNumber and macAddress the rest of the patch looks good

firstyear commented 4 years ago

No both of these are correct actually. The case ignore means we accept mac addresses of AA:BB:CC ... and aa:bb:cc as the same, so regardless of how they were input, they'll match properly. Similar with the ip addresses if you use hex notation of the ipaddress.

tbordaz commented 4 years ago

Yes with caseignore AA:BB:CC and aa:bb:cc are now equal with the patch. My concern is that they were not equal in the previous definition (dirstring). So the following entry was valid

cn: cn=foo,cn=hosts,<suffix>
...
macAddress: aa:bb:cc:
macAddress: AA:BB:CC:

But with caseignore, the entry will contain duplicate values

tbordaz commented 4 years ago

Not only duplicate values but changing the matching rule, I think normalization will change and then we need to reindex the attributes.

firstyear commented 4 years ago

That's true. I think that it's unlikely people use these attributes anyway, so this behaviour has been known for a while, so I'll update that ldif.

rebased onto cfebef966cc03e731df95954d0e79ff209ef5b79

4 years ago

tbordaz commented 4 years ago

Thanks for the changes and your patience. ACK

rebased onto 0683bcd

4 years ago

Pull-Request has been merged by firstyear

4 years ago

abbra commented 4 years ago

One thing that was found by testing is that 389-ds now has two nisDomain definitions (in 60nis.ldif and in the new file) but they are using different OIDs. FreeIPA uses older 389-ds' OID for nisDomain since 2013. With this pull request merged, FreeIPA cannot be installed anymore:
https://bugzilla.redhat.com/show_bug.cgi?id=1820176

firstyear commented 4 years ago

Errghhh of course there is some cursed extra nis schema that only freeipa uses that would conflict here.

So it looks like 60nis.ldif conflicts with 10rfc2307bis.ldif anyway, on nisPublicKey, nisSecretKey and nisDomain. Even better, they use different syntaxes (1.3.6.1.4.1.1466.115.121.1.26 caseinsensitive in 60nis.ldif vs 1.3.6.1.4.1.1466.115.121.1.40 from 2307bis. ). Thankfully the nisDomain types seem to agree at least (60nis.ldif adds a substr mr though). Even better, it appears that whoever made 10rfc2307bis.ldif and 60nis.ldif, well, there isn't an agreed set of oids, they just kept allocating in sequence from the original rfc2307. So there is no actual guidance on what the values should look like.

Right now, the only one of these two that looks "more" legitimate is rfc2307bis' definition, as it's actually associated to an rfc, and more widely used thanks to openldap - and openldap to 389-ds migration is what I care about.

So:

Does freeipa use nisPublickey or nisSecretkey or nisDomain?

My current suggested course of action:

remove nisPublicKey, nisSecretKey and nisDomain from 60nis.ldif
Add substr caseIgnoreIA5SubstringsMatch to nisDomain in 2307compat.ldif

This seems like the safest way to progress since on an rpm upgrade, we'll replace the content of 60nis.ldif and 2307compat.ldif so it should make the 389-ds upgrade process seamless. Most installs outside of freeipa won't be affected because they probably don't use 60nis.ldif anyway.

The other option is:

remove nisPublicKey, nisSecretKey and nisDomain from 10rfc2307bis.ldif
rename 60nis.ldif to 09nis.ldif
make 09nis.ldif a default system schema rather than a sample.

I don't like this option as much, it's a bit more invasive.

I think that regardless, freeipa will need to do some work or make changes to account for this regardless of what we choose, as I suspect you have copied 60nis.ldif to the /etc/dirsrv/slapd-instance/schema dir (perhaps in the future, symlinking that to the sample data would allow us to have safer upgrade options ....). So if we change 60nis.ldif, you need to account for that. If we rename it, you need to account for that. IMO you're best bet is the first option and to then change 60nis.ldif in your /etc schema dir to a symlink to the sample data.

Perhaps long term to prevent people using the /etc schema dir with our sample schema data so much, we should consider putting all system supplied schema in the main dir and making it always active, so that people don't have to copy the sample data or mess about with /etc schema unless it really is custom .....

abbra commented 4 years ago

I checked FreeIPA and there is no usage of nisSecretKey and nisPublicKey attributes. nisDomain is used in a single place at the base DN level.

FreeIPA does not install 60nis.ldif at all. Commit https://pagure.io/freeipa/c/1eec34393b8a7ccd420a7fa540462f5d8779977c?branch=master shows that this variant of 2307bis schema was merged to FreeIPA about the same time (month before) it was merged to Fedora Directory.

I looked around for any application that might be using nisDomain and haven't been able to find any. We use nisDomainName attribute in slapi-nis and many other places but that comes from IPA itself. autofs doesn't need nisDomain. SUDO doesn't need nisDomain.

So your first proposal would seem to work OK if it is not going to break replication. How can we ensure that?

tbordaz commented 4 years ago

On DS side, 60nis.ldif is buggy and needs to be fixed the way @firstyear recommended.
On Freeipa side the script RFC2307bis.update should be modified.

Regarding schema replication there is a risk that a definition of nisDomain with OID 1.3.6.1.4.1.1.1.1.12 land in 99user.ldif. In that case it will conflict with rfc2307compat and prevent DS restart. Options I can think of, move rfc2307compat to 'data', improve schema replication to check duplicate OID, document release note to do manual cleanup.

mreynolds commented 4 years ago

Currently master branch is broken for me. New instances fail to start because of this change.

We might need to revert this commit if it there is no speedy resolution...

firstyear commented 4 years ago

In your dev environment, you need to remove 10rfc2307.ldif from schema in your installed dir IE rm /opt/dirsrv/share/dirsrv/schema/10rfc2307.ldif because the make install can't remove it for you. This won't affect RPM's because they get a clean build root, and the rpm well remove the file as it's not longer in the file list.

Ill look at and comment on the 60nis.ldif later :)

firstyear commented 4 years ago

@mreynolds I'm going to submit a fix for the 60nis.ldif issue today, but like I said, remove the extra file. If it's still an issue, we can revert and then work out abetter plan. :)

spichugi commented 3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/3987

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi

3 years ago

Metadata

Assignee

None

Tags

No Tags

Changes Summary 2

file added

ldap/schema/10rfc2307compat.ldif

389-ds-base

Source Code

#50934 Ticket 50933 - rfc2307compat.ldif Closed 3 years ago by spichugi. Opened 4 years ago by firstyear. firstyear/389-ds-base 50933-rfc2307-compat into master

Metadata

Changes Summary 2

#50934 Ticket 50933 - rfc2307compat.ldif

Closed 3 years ago by spichugi. Opened 4 years ago by firstyear.

firstyear/389-ds-base 50933-rfc2307-compat into master