[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapo-unique spins its wheels on a non-trivial olcUniqueURI spec

To: openldap-technical <openldap-technical@openldap.org>
Subject: slapo-unique spins its wheels on a non-trivial olcUniqueURI spec
From: "Norman Gray" <gray@nxg.name>
Date: Tue, 10 Sep 2019 18:20:32 +0100



Greetings.

I'm having difficulty creating a non-trivial olcUniqueURI spec.  Can
anyone advise me?

The problems are:

  * A plausible-looking spec in olcUniqueURI causes slapadd to spin
    its wheels indefinitely.
  * The manpage doesn't make it terribly clear what I should expect
    from a plausible-looking spec.

Details follow:

I want to specify something like

    dn: olcOverlay=unique,olcDatabase={1}mdb,cn=config
    objectClass: olcOverlayConfig
    objectClass: olcUniqueConfig
    olcOverlay: unique
    olcUniqueURI: ldap:///ou=dept-A,o=example?uidnumber?sub
      ldap:///ou=dept-B,o=example?uidnumber?sub

The idea is that the uidnumber attribute should be unique across the twoOUs,

ou=dept-A and ou=dept-B.

If I do this, however, then slapadd spins its wheels:

    $ rm -R /usr/local/etc/openldap/slapd.d/*

$ su -m ldap -c "slapadd -d255 -n 0 -F/usr/local/etc/openldap/slapd.d -l /usr/local/etc/openldap/slapd.ldif"

    ...
    ...

5d77d377 >>> dnPrettyNormal:<olcOverlay=unique,olcDatabase={1}mdb,cn=config>5d77d377 <<< dnPrettyNormal:<olcOverlay=unique,olcDatabase={1}mdb,cn=config>,<olcOverlay=unique,olcDatabase={1}mdb,cn=config>5d77d377 <=str2entry(olcOverlay=unique,olcDatabase={1}mdb,cn=config) -> 0x800d4eca85d77d377 oc_check_required entry(olcOverlay=unique,olcDatabase={1}mdb,cn=config), objectClass"olcUniqueConfig"

    5d77d377 oc_check_allowed type "objectClass"
    5d77d377 oc_check_allowed type "olcOverlay"
    5d77d377 oc_check_allowed type "olcUniqueURI"
    5d77d377 oc_check_allowed type "structuralObjectClass"
    5d77d377 >>> dnNormalize: <olcOverlay={1}unique>
    5d77d377 <<< dnNormalize: <olcOverlay={1}unique>
    5d77d377 ==> unique_db_init

5d77d377 ==> unique_new_domain<ldap:///ou=dept-A,o=example?uidnumber?subldap:///ou=dept-B,o=example?uidnumber?sub>

    5d77d377 >>> dnPrettyNormal: <ou=dept-A,o=example>

5d77d377 <<< dnPrettyNormal: <ou=dept-A,o=example>,<ou=dept-A,o=example>

    5d77d377 >>> dnPrettyNormal: <ou=dept-B,o=example>

5d77d377 <<< dnPrettyNormal: <ou=dept-B,o=example>,<ou=dept-B,o=example>

    5d77d377 >>> dnPrettyNormal: <ou=dept-B,o=example>

5d77d377 <<< dnPrettyNormal: <ou=dept-B,o=example>,<ou=dept-B,o=example>

    5d77d377 >>> dnPrettyNormal: <ou=dept-B,o=example>

5d77d377 <<< dnPrettyNormal: <ou=dept-B,o=example>,<ou=dept-B,o=example>

    5d77d377 >>> dnPrettyNormal: <ou=dept-B,o=example>

5d77d377 <<< dnPrettyNormal: <ou=dept-B,o=example>,<ou=dept-B,o=example>

    5d77d377 >>> dnPrettyNormal: <ou=dept-B,o=example>

5d77d377 <<< dnPrettyNormal: <ou=dept-B,o=example>,<ou=dept-B,o=example>

    ...
    ^C

and so on and on and on, apparently indefinitely.

slapo-unique(5) says that the syntax here is:

    unique_uri <[strict ][ignore ]URI[URI...]...>

Configure the base, attributes, scope, and filter foruniquenesschecking. Multiple URIs may be specified within adomain,allowing complex selections of objects. Multipleunique_uristatements or olcUniqueURI attributes will createindependentdomains, each with their own independent lists of URIsand

              ignore/strict settings.

Keywords strict and ignore have to be enclosed in quotes(")

              together with the URI.

The LDAP URI syntax is a subset of RFC-4516, and takesthe form:


              ldap:///[base dn]?[attributes...]?scope[?filter]

(I'm taking it that there should be a space between those
`URI[URI...]`)

in servers/slapd/overlays/unique.c, the comment above
`unique_new_domain` says instead

    * domain_specs look like
    *
    * [strict ][ignore ]uri[[ uri]...]
    * e.g. "ldap:///ou=foo,o=bar?uid?sub ldap:///ou=baz,o=bar?uid?sub";
    *      "strict ldap:///ou=accounts,o=bar?uid,uidNumber?one";
    *      etc
    *

So that's clearly permitting multiple URIs -- perhaps the quotes are
required (as the manpage hints).  But if I try

    olcUniqueURI: "ldap:///ou=dept-A,o=example?uidnumber?sub
      ldap:///ou=dept-B,o=example?uidnumber?sub";

...then I get

5d77d617 ==> unique_new_domain<"ldap:///ou=dept-A,o=example?uidnumber?subldap:///ou=dept-B,o=example?uidnumber?sub";>5d77d617 olcUniqueURI: value #0:<"ldap:///ou=dept-A,o=example?uidnumber?subldap:///ou=dept-B,o=example?uidnumber?sub";> invalid ldap urilist


from slapadd (so that's not the problem).  But the example there does
look VERY much like what I tried.

So:

  * I'm pretty sure I shouldn't be able to make slapadd spin its
    wheels like that.
  * The manpage text might be a little too telegraphic.  While I'm sure
    it's not _wrong_, it is quite hard to go from that text to a
    working spec with any confidence.

Googling olcUniqueURI produces very little of use. Is this not thecorrect way to do this?


This looks somewhat similar, in symptoms and module, to ITS#8162, but
it does seem distinct.

Thanks for any pointers.

Best wishes,

Norman





--
Norman Gray  :  https://nxg.me.uk

Follow-Ups:
- Re: slapo-unique spins its wheels on a non-trivial olcUniqueURI spec
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Antw: Is there a simple document that explains the various admin passwords?
Next by Date: Re: slapd and LetsEncrypt certificates: does a cert renewal necessitate a server restart?
Index(es):
- Chronological
- Thread