#3398 Entire 60basev3 schema is not included in update file, other errors
Closed: Fixed None Opened 6 years ago by rcritten.

In a very brief look I found a number of attributes and objectclasses in 60basev3.ldif that are not in an associated update file. The updates are split between 10-60basev3.update and 60-trusts.update.

missing attributes
- ipaExternalMember

missing objectclasses
- ipaExternalGroup

The definition for ipaNTFlatName has a misspelled ORDERING in both the 60basev3.ldif and the update file.


The error exhibits itself in the json_metadata command which explains why user_show worked fine. Here is the backtrace (date removed from Apache error_log):

ipa: DEBUG: json_metadata(None, None, object=u'all')
ipa: ERROR: non-public: KeyError: 'ipaExternalGroup'
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 334, in wsgi_execute
    result = self.Command[name](*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in __call__
    ret = self.run(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 747, in run
    return self.execute(*args, **options)
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 119, in execute
    (o.name, json_serialize(o)) for o in self.api.Object()
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 119, in <genexpr>
    (o.name, json_serialize(o)) for o in self.api.Object()
  File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 56, in json_serialize
    return json_serialize(obj.__json__())
  File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 600, in __json__
    attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses)
  File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 377, in attribute_types
    object_class = self.sed[ObjectClass][object_class_oid]
KeyError: 'ipaExternalGroup'
ipa: INFO: user1@XXXX.COM: json_metadata(None, None, object=u'all'): KeyError

Order is misspelled on these:

- ipaNTSecurityIdentifier
- ipaNTTrustedDomainSID
- ipaNTFlatName
- ipaNTHash
- ipaNTLogonScript
- ipaNTProfilePath
- ipaNTHomeDirectory
- ipaNTHomeDirectoryDrive
- ipaNTDomainGUID

master: 49beb8c[[BR]]
ipa-3-1: fd1cfd3[[BR]]
ipa-3-0: d6a92b2

Reopening, just found an issue:

[26/Feb/2013:09:47:37 -0500] attr_syntax_create - Error: the ORDERING matching rule                     [caseIgnoreIA5OrderingMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.26] for the  attribute [ipaNTSecurityIdentifier]
[26/Feb/2013:09:47:37 -0500] attr_syntax_create - Error: the ORDERING matching rule                     [caseIgnoreIA5OrderingMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.26] for the  attribute [ipaNTTrustedDomainSID]
[26/Feb/2013:09:47:37 -0500] attr_syntax_create - Error: the ORDERING matching rule                     [caseIgnoreIA5OrderingMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.26] for the  attribute [ipaNTDomainGUID]

I will handle the regression. It just seems that 1.3.6.1.4.1.1466.115.121.1.26 syntax (IA5 string) does not really has a compatible ORDERING rule. I will just use default ORDERING for the new 1.3.6.1.4.1.1466.115.121.1.26 attributeTypes (we already do that for all others IA 5 string attributeTypes).

Patch freeipa-mkosek-374-remove-ordering-for-ia5-attributetypes.patch sent for review

Error messages fixed:

master: 4a6f3ca[[BR]]
ipa-3-1: 6832218[[BR]]
ipa-3-0: 9c00258

Metadata Update from @rcritten:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.2 - 2013/02

2 years ago

Login to comment on this ticket.

Metadata