[389-users] help with 'no such attribute' error?
Rich Megginson
rmeggins at redhat.com
Wed Nov 2 21:56:59 UTC 2011
On 11/02/2011 03:49 PM, brandon wrote:
> So I'm hoping somebody can assist with a confusing problem I am having.
>
> I am running 389-ds-1.2.1-1.
What platform? What version of 389-ds-base?
> I have nodes in a subtree where I am
> unable to modify the userPassword attribute through perl-LDAP, but I can
> through the 389-console. However, this same exact perl-LDAP code /can/
> make changes to objects in a different subtree (works in ou=People,
> fails in ou=Special Users).
>
> The perl script uses an administrative account to make the changes
> (admin in ou=Administrators,ou=TopologyManagement,o=NetscapeRoot), which
> should have access to the entire tree. ACI's on the subtrees are
> identical, I have even compared them in the ldif export of the tree.
>
> The commit works if I use ldapmodify (same user/password), it works if I
> do it with 389-console, but it fails when I use perl-LDAP.
>
> I am current on perl-LDAP as well.
>
> The only reason I am still poking at the directory server, is because
> the directory server is returning the 'no such attribute' error 16, even
> in the logfiles.
>
> Is there any way to get some more .. readable logs from the directory
> server?
Start with the access log. This will tell you your bind identity and
the operations invoked by the client. It won't give the exact modify
arguments for modify operations - use the errorlog level 4 (ARGS) for
that - see http://directory.fedoraproject.org/wiki/FAQ#Troubleshooting
(4 Heavy trace output debugging).
> Is there a way to filter the ds logs, perhaps? Specify that
> logs regarding specific nodes are sent at different levels?
>
> I suspect that perl-LDAP is committing the change in a manner
> differently than ldapmodify/389-console, but I cannot figure out how.
> What really confuses me is that perl-LDAP /works/ fine on ou=People, but
> not ou=Special Users.
If all else fails, you could use wireshark/tcpdump to inspect the
packets received and sent by the directory server.
> Thoughts? Help? Suggested directions to look?
>
> Thanks,
>
> -Brandon
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list