[Freeipa-devel] Ticket #2866 - referential integrity in IPA
Martin Kosek
mkosek at redhat.com
Tue Sep 11 16:51:34 UTC 2012
On 09/04/2012 04:40 PM, Rich Megginson wrote:
> On 09/03/2012 08:42 AM, Martin Kosek wrote:
>> On 08/27/2012 06:29 PM, Rich Megginson wrote:
...
>> This is the plan I plan to take:
>> 1) Add pres,eq indexes for all un-indexed attributes that we want to check:
>> sourcehost
>> memberservice
>> managedby
>> memberallowcmd
>> memberdenycmd
>> ipasudorunas
>> ipasudorunasgroup
> ok
...
Implementation of the Referential Integrity in IPA works OK so far, I just hit
a strange issue when indexing memberallowcmd and memberdenycmd attributes in IPA:
dirsrv errors log:
...
[11/Sep/2012:11:39:53 -0400] - The attribute [memberdenycmd] does not have a
valid ORDERING matching rule - error 2:s
[11/Sep/2012:11:39:58 -0400] - userRoot: Indexing attribute: memberdenycmd
[11/Sep/2012:11:39:58 -0400] - userRoot: Finished indexing.
...
This cause RI to fail to handle this attribute in IPA (which is expected based
on the error message).
I checked the attributes types, they look like that:
attributetypes: ( 2.16.840.1.113730.3.8.7.1 NAME 'memberAllowCmd' DESC 'Refere
nce to a command or group of commands that are allowed by the rule.' SUP dist
inguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch
SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN
'IPA v2' )
attributetypes: ( 2.16.840.1.113730.3.8.7.2 NAME 'memberDenyCmd' DESC 'Referen
ce to a command or group of commands that are denied by the rule.' SUP distin
guishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch S
UBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'I
PA v2' )
"distinguishedNameMatch" ORDERING rule looks wrong, it is only a matching rule.
Anyone knows why it was defined that way? Or what should be a correct setting
for this attribute instead? caseIgnoreOrderingMatch seems as a logical choice...
I will have to fix the attributeTypes definition in IPA before we can enable
index & RI for them.
Thanks,
Martin
More information about the Freeipa-devel
mailing list