[Fedora-directory-users] DS doesn't load sudo and host attribute schemas - just silently ignores them
Rich Megginson
rmeggins at redhat.com
Sat Apr 19 15:03:06 UTC 2008
Itonohito wrote:
> Hello!
>
> I've installed Fedora DS 1.1 at Fedora Core 7. Configured and running.
> Now I'm trying to add two following schemas to it:
>
> 1. Schema, adding host attribute to restrict login access for users
> per host basis:
> #---------------------------------------------------------------------
> #
> dn: cn=schema
> #
> #---------------------------------------------------------------------
> #
> # objectClasses: ( 1.3.6.1.4.1.5322.17.1.1 NAME
> 'authorizedServiceObject' DESC 'Auxiliary object class for adding
> authorizedService attribute' SUP top AUXILIARY MAY authorizedService )
> #
> objectClasses: (
> 1.3.6.1.4.1.5322.17.1.1
> NAME 'authorizedServiceObject'
> DESC 'Auxiliary object class for adding authorizedService attribute'
> SUP top
> AUXILIARY
> MAY authorizedService
> )
> #
> #---------------------------------------------------------------------
> #
> # objectClasses: ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' DESC
> 'Auxiliary object class for adding host attribute' SUP top AUXILIARY
> MAY host )
> #
> objectClasses: (
> 1.3.6.1.4.1.5322.17.1.2
> NAME 'hostObject'
> DESC 'Auxiliary object class for adding host attribute'
> SUP top
> AUXILIARY
> MAY host
> )
> #
> #---------------------------------------------------------------------
> #
> # attributeTypes: ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
> DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
> #
> attributeTypes: (
> 1.3.6.1.4.1.5322.17.2.1
> NAME 'authorizedService'
> DESC 'IANA GSS-API authorized service name'
> EQUALITY caseIgnoreMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256}
> )
>
>
> 2. Schema for sudo support:
> #---------------------------------------------------------------------
> #
> dn: cn=schema
> #
> #---------------------------------------------------------------------
> #
> # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC
> 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR
> caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> #
> attributeTypes: (
> 1.3.6.1.4.1.15953.9.1.1
> NAME 'sudoUser'
> DESC 'User(s) who may run sudo'
> EQUALITY caseExactIA5Match
> SUBSTR caseExactIA5SubstringsMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
> )
> #
> #---------------------------------------------------------------------
> #
> # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC
> 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR
> caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
> #
> attributeTypes: (
> 1.3.6.1.4.1.15953.9.1.2
> NAME 'sudoHost'
> DESC 'Host(s) who may run sudo'
> EQUALITY caseExactIA5Match
> SUBSTR caseExactIA5SubstringsMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
> )
> #
> #---------------------------------------------------------------------
> #
> # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC
> 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.26 )
> #
> attributeTypes: (
> 1.3.6.1.4.1.15953.9.1.3
> NAME 'sudoCommand'
> DESC 'Command(s) to be executed by sudo'
> EQUALITY caseExactIA5Match
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
> )
> #
> #---------------------------------------------------------------------
> #
> # attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC
> 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.26 )
> #
> attributeTypes: (
> 1.3.6.1.4.1.15953.9.1.4
> NAME 'sudoRunAs'
> DESC 'User(s) impersonated by sudo'
> EQUALITY caseExactIA5Match
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
> )
>
>
> Both are created by RFC2252 compliant convertor ol2rhds.pl, found in
> Fedora DS Wiki site.
>
> I placed that two schemas as files 70host.ldif and 71sudoers.ldif into
> schema subdirectory of dirsrv (to be exact - I placed three schemas,
> but third one - for dhcp, works fine). And restarted server.
/etc/dirsrv/schema is the schema used when creating new instances of
directory server. If you already have an instance (e.g.
/etc/dirsrv/slapd-foo) you should copy the schema files into
/etc/dirsrv/slapd-foo/schema.
> But server doesn't load them, looks like it even doesn't see them.
> They have ownership and permissions exactly the same as all other
> schema files in that directory though. Here's full list of schema files:
>
> 00core.ldif
> 01common.ldif
> 05rfc2247.ldif
> 05rfc2927.ldif
> 10presence.ldif
> 10rfc2307.ldif
> 20subscriber.ldif
> 25java-object.ldif
> 28pilot.ldif
> 30ns-common.ldif
> 50ns-admin.ldif
> 50ns-certificate.ldif
> 50ns-directory.ldif
> 50ns-mail.ldif
> 50ns-value.ldif
> 50ns-web.ldif
> 60pam-plugin.ldif
> 64ldapdhcp.ldif
> 70host.ldif
> 71sudoers.ldif
> 99user.ldif
>
> And I see no errors in error-log. I turned on output of all debug data
> into log file via Management Console and restarted server again -
> there are huge amount of debug info in the error-log - but nothing
> about that two schemas...
> Here goes part of log, where server loads schema files:
>
> [19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck
> [19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema"
> [19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry
> "cn=schema" in file /etc/dirsrv/slapd-ldap1/schema/60pam-plugin.ldif
> [19/Apr/2008:06:51:43 -0400] - slapi_str2entry: flags=0xc0, entry="#
> #***********************************************..."
> [19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck
> [19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema"
> [19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry
> "cn=schema" in file /etc/dirsrv/slapd-ldap1/schema/64ldapdhcp.ldif
> [19/Apr/2008:06:51:43 -0400] - slapi_str2entry: flags=0xc0, entry="dn:
> cn=schema
> objectClass: top
> objectClass: ldapSu..."
> [19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck
> [19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema"
> [19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry
> "cn=schema" in file /etc/dirsrv/slapd-ldap1/schema/99user.ldif
> (primary file)
>
>
> Can somebody give me any clue? What I missed, what I did wrong?...
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20080419/fdf45e27/attachment.bin>
More information about the Fedora-directory-users
mailing list