Hi, as I reported on the mailing list: https://www.redhat.com/archives/freeipa-users/2012-March/msg00189.html
After extending the ldap schema with custom objectClasses, and having told it to use them for user and group creation, FreeIPA creates LDAP user and group objects with wrong(?) structural-ity of the custom objectClasses.
This has been faced against 2.2 Beta1. The latest published as today.
I think all the necessary info are reported in the email. If others are, I'm here :-)
Objects only list what objectClasses are attached to them, there is no "structurality" attribute on objects.
Ok after some more discussion on the freeipa-users list this is what seem to happen.
The admin installed new schema files, these files define various objectclasses as AUXILIARY, yet once loaded by 389ds they show up as STRUCTURAL in cn=schema.
Example class from file:
objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.5 NAME 'xxxDB2GroupsAttributes' SUP top AUXILIARY DESC 'Definizione di attributi specifici per i gruppi DB2' MAY ( xxxDB2GruppiPrivilegi ))
Same class when retrieved from cn=schema:
objectClasses: ( 1.3.6.1.4.1.36005.0.2.6.5 NAME 'xxxDB2GroupsAttributes' DESC 'Definizione di attributi specifici per i gruppi DB2' STRUCTURAL MAY xxxDB2GruppiPrivilegi )
This may just be an issue with the schema definition parser in 389-ds-base. The parser is very picky. I notice that the example objectclass from the schema file has the AUXILIARY keyword in a different position that the STRUCTURAL keyword that is returned from searching "cn=schema". I know that we expect the schema definition keywords in the exact order shown in the RFCs, so I expect the parser isn't even noticing the AUXILIARY keyword during schema loading. This likely causes us to default to STRUCTURAL. Notice also that "SUP top" is missing. I believe that this is due to the DESC keyword being after the SUP and AUXILIARY keywords
Try making the objectclass definition look like this in your schema file:
objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.5 NAME 'xxxDB2GroupsAttributes' DESC 'Definizione di attributi specifici per i gruppi DB2' SUP top AUXILIARY MAY ( xxxDB2GruppiPrivilegi ))
Related to 389-ds ticket https://fedorahosted.org/389/ticket/153
Closing, not an IPA bug.
Metadata Update from @mpizzoli: - Issue assigned to someone - Issue set to the milestone: Tickets Deferred
Login to comment on this ticket.