On Thu, Jul 17, 2014 at 04:35:31PM +0200, Lukas Slebodnik wrote:
ehlo,
There is problem with OpenLDAP server and dereferencing of attributes
that is not in the schema of the server?
sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \
-E 'deref=member:uid,dummy_attr' cn=ref_grp
Protocol error (2)
Additional information: Dereference control: attribute decoding error
sh-4.2$ echo $?
2
The attribute nsUniqueID is a 389-only, non-standard attribute.
It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson
nor posixAccount schema. OpenLDAP supports the standard entryUUID attribute,
which is basically the same (uniquely identifies an entry throughout
a replication topology), but uses the standard UUID format rather than
the non-standard format used by 389.
4x FIXME removed :-)
Any comments are welcomed.
LS
Thanks for the detective work on finding the root cause of the problem!
I wonder if we could remove the attribute completely, though. It appears
to be completely unused now:
$ git grep -l SYSDB_UUID
src/db/sysdb.h:#define SYSDB_UUID "uniqueID"
src/providers/ad/ad_opts.h: { "ldap_user_uuid", "objectGUID",
SYSDB_UUID, NULL },
src/providers/ad/ad_opts.h: { "ldap_group_uuid", "objectGUID",
SYSDB_UUID, NULL },
src/providers/ad/ad_opts.h: { "ldap_netgroup_uuid", "nsUniqueId",
SYSDB_UUID, NULL },
src/providers/ipa/ipa_opts.h: { "ldap_user_uuid", "nsUniqueId",
SYSDB_UUID, NULL },
src/providers/ipa/ipa_opts.h: { "ldap_group_uuid", "nsUniqueId",
SYSDB_UUID, NULL },
src/providers/ipa/ipa_opts.h: { "ipa_netgroup_uuid", "ipaUniqueID",
SYSDB_UUID, NULL },
src/providers/ipa/ipa_opts.h: { "ipa_host_uuid", "ipaUniqueID",
SYSDB_UUID, NULL},
src/providers/ipa/ipa_opts.h: { "ipa_hostgroup_uuid",
"ipaUniqueID", SYSDB_UUID, NULL},
src/providers/ipa/ipa_opts.h: { "ipa_selinux_usermap_uuid",
"ipaUniqueID", SYSDB_UUID, NULL},
src/providers/ldap/ldap_opts.h: { "ldap_user_uuid", NULL, SYSDB_UUID, NULL
},
src/providers/ldap/ldap_opts.h: { "ldap_group_uuid", NULL, SYSDB_UUID, NULL
},
src/providers/ldap/ldap_opts.h: { "ldap_user_uuid", "nsUniqueId",
SYSDB_UUID, NULL },
src/providers/ldap/ldap_opts.h: { "ldap_group_uuid", "nsUniqueId",
SYSDB_UUID, NULL },
src/providers/ldap/ldap_opts.h: { "ldap_user_uuid", "objectGUID",
SYSDB_UUID, NULL },
src/providers/ldap/ldap_opts.h: { "ldap_group_uuid", "objectGUID",
SYSDB_UUID, NULL },
src/providers/ldap/ldap_opts.h: { "ldap_netgroup_uuid",
"nsUniqueId", SYSDB_UUID, NULL },
And according to "git log -S" it was actually never used.
So my proposal is to just remove the attribute along with SYSDB_UUID.