[Fedora-directory-users] DS doesn't load sudo and host attribute schemas - just silently ignores them

Rich Megginson rmeggins at redhat.com
Sat Apr 19 15:03:06 UTC 2008 

Itonohito wrote:
> Hello!
>
> I've installed Fedora DS 1.1 at Fedora Core 7. Configured and running.
> Now I'm trying to add two following schemas to it:
>
> 1. Schema, adding host attribute to restrict login access for users 
> per host basis:
> #---------------------------------------------------------------------
> #
> dn: cn=schema
> #
> #---------------------------------------------------------------------
> #
> # objectClasses: ( 1.3.6.1.4.1.5322.17.1.1 NAME 
> 'authorizedServiceObject' DESC 'Auxiliary object class for adding 
> authorizedService attribute' SUP top AUXILIARY MAY authorizedService )
> #
> objectClasses: (
>  1.3.6.1.4.1.5322.17.1.1
>  NAME 'authorizedServiceObject'
>  DESC 'Auxiliary object class for adding authorizedService attribute'
>  SUP top
>  AUXILIARY
>  MAY authorizedService
>  )
> #
> #---------------------------------------------------------------------
> #
> # objectClasses: ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' DESC 
> 'Auxiliary object class for adding host attribute' SUP top AUXILIARY 
> MAY host )
> #
> objectClasses: (
>  1.3.6.1.4.1.5322.17.1.2
>  NAME 'hostObject'
>  DESC 'Auxiliary object class for adding host attribute'
>  SUP top
>  AUXILIARY
>  MAY host
>  )
> #
> #---------------------------------------------------------------------
> #
> # attributeTypes: ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' 
> DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch 
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
> #
> attributeTypes: (
>  1.3.6.1.4.1.5322.17.2.1
>  NAME 'authorizedService'
>  DESC 'IANA GSS-API authorized service name'
>  EQUALITY caseIgnoreMatch
>  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256}
>  )
>
>
> 2. Schema for sudo support:
> #---------------------------------------------------------------------
> #
> dn: cn=schema
> #
> #---------------------------------------------------------------------
> #
> # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 
> 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR 
> caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> #
> attributeTypes: (
>  1.3.6.1.4.1.15953.9.1.1
>  NAME 'sudoUser'
>  DESC 'User(s) who may run sudo'
>  EQUALITY caseExactIA5Match
>  SUBSTR caseExactIA5SubstringsMatch
>  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>  )
> #
> #---------------------------------------------------------------------
> #
> # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 
> 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR 
> caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> #
> attributeTypes: (
>  1.3.6.1.4.1.15953.9.1.2
>  NAME 'sudoHost'
>  DESC 'Host(s) who may run sudo'
>  EQUALITY caseExactIA5Match
>  SUBSTR caseExactIA5SubstringsMatch
>  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>  )
> #
> #---------------------------------------------------------------------
> #
> # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 
> 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 
> 1.3.6.1.4.1.1466.115.121.1.26 )
> #
> attributeTypes: (
>  1.3.6.1.4.1.15953.9.1.3
>  NAME 'sudoCommand'
>  DESC 'Command(s) to be executed by sudo'
>  EQUALITY caseExactIA5Match
>  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>  )
> #
> #---------------------------------------------------------------------
> #
> # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 
> 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 
> 1.3.6.1.4.1.1466.115.121.1.26 )
> #
> attributeTypes: (
>  1.3.6.1.4.1.15953.9.1.4
>  NAME 'sudoRunAs'
>  DESC 'User(s) impersonated by sudo'
>  EQUALITY caseExactIA5Match
>  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
>  )
>
>
> Both are created by RFC2252 compliant convertor ol2rhds.pl, found in 
> Fedora DS Wiki site.
>
> I placed that two schemas as files 70host.ldif and 71sudoers.ldif into 
> schema subdirectory of dirsrv (to be exact - I placed three schemas, 
> but third one - for dhcp, works fine). And restarted server.
/etc/dirsrv/schema is the schema used when creating new instances of 
directory server.  If you already have an instance (e.g. 
/etc/dirsrv/slapd-foo) you should copy the schema files into 
/etc/dirsrv/slapd-foo/schema.
> But server doesn't load them, looks like it even doesn't see them. 
> They have ownership and permissions exactly the same as all other 
> schema files in that directory though. Here's full list of schema files:
>
> 00core.ldif
> 01common.ldif
> 05rfc2247.ldif
> 05rfc2927.ldif
> 10presence.ldif
> 10rfc2307.ldif
> 20subscriber.ldif
> 25java-object.ldif
> 28pilot.ldif
> 30ns-common.ldif
> 50ns-admin.ldif
> 50ns-certificate.ldif
> 50ns-directory.ldif
> 50ns-mail.ldif
> 50ns-value.ldif
> 50ns-web.ldif
> 60pam-plugin.ldif
> 64ldapdhcp.ldif
> 70host.ldif
> 71sudoers.ldif
> 99user.ldif
>
> And I see no errors in error-log. I turned on output of all debug data 
> into log file via Management Console and restarted server again - 
> there are huge amount of debug info in the error-log - but nothing 
> about that two schemas...
> Here goes part of log, where server loads schema files:
>
> [19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck
> [19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema"
> [19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry 
> "cn=schema" in file /etc/dirsrv/slapd-ldap1/schema/60pam-plugin.ldif
> [19/Apr/2008:06:51:43 -0400] - slapi_str2entry: flags=0xc0, entry="#
> #***********************************************..."
> [19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck
> [19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema"
> [19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry 
> "cn=schema" in file /etc/dirsrv/slapd-ldap1/schema/64ldapdhcp.ldif
> [19/Apr/2008:06:51:43 -0400] - slapi_str2entry: flags=0xc0, entry="dn: 
> cn=schema
> objectClass: top
> objectClass: ldapSu..."
> [19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck
> [19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema"
> [19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry 
> "cn=schema" in file /etc/dirsrv/slapd-ldap1/schema/99user.ldif 
> (primary file)
>
>
> Can somebody give me any clue? What I missed, what I did wrong?...
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080419/fdf45e27/attachment.bin>

More information about the Fedora-directory-users mailing list