In a very brief look I found a number of attributes and objectclasses in 60basev3.ldif that are not in an associated update file. The updates are split between 10-60basev3.update and 60-trusts.update.
missing attributes - ipaExternalMember
missing objectclasses - ipaExternalGroup
The definition for ipaNTFlatName has a misspelled ORDERING in both the 60basev3.ldif and the update file.
The error exhibits itself in the json_metadata command which explains why user_show worked fine. Here is the backtrace (date removed from Apache error_log):
ipa: DEBUG: json_metadata(None, None, object=u'all') ipa: ERROR: non-public: KeyError: 'ipaExternalGroup' Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 334, in wsgi_execute result = self.Command[name](*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 435, in __call__ ret = self.run(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 747, in run return self.execute(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 119, in execute (o.name, json_serialize(o)) for o in self.api.Object() File "/usr/lib/python2.7/site-packages/ipalib/plugins/internal.py", line 119, in <genexpr> (o.name, json_serialize(o)) for o in self.api.Object() File "/usr/lib/python2.7/site-packages/ipalib/util.py", line 56, in json_serialize return json_serialize(obj.__json__()) File "/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py", line 600, in __json__ attrs = self.api.Backend.ldap2.schema.attribute_types(objectclasses) File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 377, in attribute_types object_class = self.sed[ObjectClass][object_class_oid] KeyError: 'ipaExternalGroup' ipa: INFO: user1@XXXX.COM: json_metadata(None, None, object=u'all'): KeyError
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=910902
Order is misspelled on these:
- ipaNTSecurityIdentifier - ipaNTTrustedDomainSID - ipaNTFlatName - ipaNTHash - ipaNTLogonScript - ipaNTProfilePath - ipaNTHomeDirectory - ipaNTHomeDirectoryDrive - ipaNTDomainGUID
attachment freeipa-rcrit-1087-schema.patch
master: 49beb8c[[BR]] ipa-3-1: fd1cfd3[[BR]] ipa-3-0: d6a92b2
Reopening, just found an issue:
[26/Feb/2013:09:47:37 -0500] attr_syntax_create - Error: the ORDERING matching rule [caseIgnoreIA5OrderingMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.26] for the attribute [ipaNTSecurityIdentifier] [26/Feb/2013:09:47:37 -0500] attr_syntax_create - Error: the ORDERING matching rule [caseIgnoreIA5OrderingMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.26] for the attribute [ipaNTTrustedDomainSID] [26/Feb/2013:09:47:37 -0500] attr_syntax_create - Error: the ORDERING matching rule [caseIgnoreIA5OrderingMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.26] for the attribute [ipaNTDomainGUID]
I will handle the regression. It just seems that 1.3.6.1.4.1.1466.115.121.1.26 syntax (IA5 string) does not really has a compatible ORDERING rule. I will just use default ORDERING for the new 1.3.6.1.4.1.1466.115.121.1.26 attributeTypes (we already do that for all others IA 5 string attributeTypes).
1.3.6.1.4.1.1466.115.121.1.26
ORDERING
attachment freeipa-mkosek-374-remove-ordering-for-ia5-attributetypes.patch
Patch freeipa-mkosek-374-remove-ordering-for-ia5-attributetypes.patch sent for review
Error messages fixed:
master: 4a6f3ca[[BR]] ipa-3-1: 6832218[[BR]] ipa-3-0: 9c00258
Metadata Update from @rcritten: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.2 - 2013/02
Login to comment on this ticket.