freeipa

Clone
Source Code
GIT

#8717 'attribute "entryuuid" not allowed' when adding a new attribute to compat schema
Closed: invalid 3 years ago by erowlands. Opened 3 years ago by erowlands.

Closed: invalid
Reopen Issue

Issue

I want to add an entryUUID attribute to the compat schema. However, when I try to add one to the schema, I get an error message in the dirsrv log file.

Steps to Reproduce

  1. ldapmodify -xWD 'cn=Directory Manager' -f entryUUID.ldif (see below)
  2. The log shows the below error:

-

ERR - oc_check_allowed_sv - Entry "cn=groupname1,cn=groups,cn=compat,dc=example,dc=org" -- attribute "entryuuid" not allowed
ERR - oc_check_allowed_sv - Entry "cn=groupname2,cn=groups,cn=compat,dc=example,dc=org" -- attribute "entryuuid" not allowed
ERR - oc_check_allowed_sv - Entry "cn=groupname3,cn=groups,cn=compat,dc=example,dc=org" -- attribute "entryuuid" not allowed

Actual behavior

The attribute is not added to the compat schema, and there is an error in the log file.

Expected behavior

The attribute should be added to the compat schema.

Version/Release/Distribution

Fedora 33

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
freeipa-server-4.9.1-1.fc33.x86_64
freeipa-client-4.9.1-1.fc33.x86_64
package ipa-server is not installed
package ipa-client is not installed
389-ds-base-1.4.4.12-1.fc33.x86_64
pki-ca-10.10.3-3.fc33.noarch
krb5-server-1.18.2-29.fc33.x86_64

Additional info:

The LDIF file I am using (entryUUID.ldif):

dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: entryUUID=%deref_r("member","ipaUniqueID")
-

I don't believe this to be a 389ds issue since (from what I can tell) it has RFC4350 support already.

You need to add an objectclass that allows entryUUID in the entry as well, with the same schema-compat-entry-attribute: objectclass=<classname> statement.

There is no default objectclass that permits use of entryUUID attribute because when server implements entryUUID, it is done by making it an operational attribute. However, slapi-nis plugins implement virtual tree that does not have any operational attributes' support, so you need to create your own definition (and own that objectclass OID).

This is not really a FreeIPA issue, btw.

You need to add an objectclass that allows entryUUID in the entry as well, with the same schema-compat-entry-attribute: objectclass=<classname> statement.

There is no default objectclass that permits use of entryUUID attribute because when server implements entryUUID, it is done by making it an operational attribute. However, slapi-nis plugins implement virtual tree that does not have any operational attributes' support, so you need to create your own definition (and own that objectclass OID).

Ah... I see. That sounds like a bit of a problem.

This is not really a FreeIPA issue, btw.

Yeah, I wasn't really sure where the problem was, but I was certain that someone here would be able to identify it.
Edited 3 years ago by erowlands

Metadata Update from @erowlands:
- Issue close_status updated to: invalid
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.