#2545 custom objectClasses used as "structural"
Closed: Invalid None Opened 12 years ago by mpizzoli.

Hi,
as I reported on the mailing list:
https://www.redhat.com/archives/freeipa-users/2012-March/msg00189.html

After extending the ldap schema with custom objectClasses, and having told it to use them for user and group creation, FreeIPA creates LDAP user and group objects with wrong(?) structural-ity of the custom objectClasses.

This has been faced against 2.2 Beta1. The latest published as today.

I think all the necessary info are reported in the email. If others are, I'm here :-)


Objects only list what objectClasses are attached to them, there is no "structurality" attribute on objects.

Ok after some more discussion on the freeipa-users list this is what seem to happen.

The admin installed new schema files, these files define various objectclasses as AUXILIARY, yet once loaded by 389ds they show up as STRUCTURAL in cn=schema.

Example class from file:

objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.5 NAME 'xxxDB2GroupsAttributes'
SUP top AUXILIARY DESC 'Definizione di attributi specifici per i gruppi
DB2' MAY ( xxxDB2GruppiPrivilegi ))

Same class when retrieved from cn=schema:

objectClasses: ( 1.3.6.1.4.1.36005.0.2.6.5 NAME 'xxxDB2GroupsAttributes'
DESC 'Definizione di attributi specifici per i gruppi DB2' STRUCTURAL MAY
xxxDB2GruppiPrivilegi )

This may just be an issue with the schema definition parser in 389-ds-base. The parser is very picky. I notice that the example objectclass from the schema file has the AUXILIARY keyword in a different position that the STRUCTURAL keyword that is returned from searching "cn=schema". I know that we expect the schema definition keywords in the exact order shown in the RFCs, so I expect the parser isn't even noticing the AUXILIARY keyword during schema loading. This likely causes us to default to STRUCTURAL. Notice also that "SUP top" is missing. I believe that this is due to the DESC keyword being after the SUP and AUXILIARY keywords

Try making the objectclass definition look like this in your schema file:

objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.5 NAME 'xxxDB2GroupsAttributes' DESC 'Definizione di attributi specifici per i gruppi DB2' SUP top AUXILIARY MAY ( xxxDB2GruppiPrivilegi ))

Related to 389-ds ticket https://fedorahosted.org/389/ticket/153

Closing, not an IPA bug.

Metadata Update from @mpizzoli:
- Issue assigned to someone
- Issue set to the milestone: Tickets Deferred

7 years ago

Login to comment on this ticket.

Metadata