Hi Howard,

On Mon, 27 May 2013, hyc(a)symas.com wrote: > ck(a)cksoft.de wrote: >> Hi, >> >> Summary: it seems having a modifiersdn outside of cn=config in cn=config breaks replication once slapd is restarted. > > Yeah, using DNs other than the cn=config rootDN is frequently a problem. This > is why when cn=config was introduced in 2.3 only the cn=config rootDN was > allowed access to the tree. > > In this particular case, there's a simpler solution - add schema definitions > for the missing RDN attributes directly to the cn=config entry. In your case, > move the "ou" definition from the cn=core schema entry. > > There's nothing dirty about this solution - it has always been valid to define > schema elements in the top-level slapd.conf file as well as in the top > cn=config global config entry. The feature doesn't get used much because most > 3rd party schemas are distributed as their own files, so it's simpler to just > use the include directive to reference them. But for your current situation, > you need to define these schema elements as early as possible, so that they > can be processed as valid later on. Thanks for the feedback. As my sample had modifiersName: cn=Alice,ou=People,dc=test I added definitions for 'ou' and 'dc' to cn=config. It seems this helps for modifiersNames of entries below cn=config but not for cn=config itself. I have uploaded following three configs that illustrate the remaining problem: http://www.cksoft.de/paste/374f18f905d53f8e6e158702e686b563/config-1-fail... http://www.cksoft.de/paste/374f18f905d53f8e6e158702e686b563/config-2-ok.ldif http://www.cksoft.de/paste/374f18f905d53f8e6e158702e686b563/config-3-fail... The original failure with config-1 because of a modifiersName on cn=module{0},cn=config: [root@test-centos64 test]# slapadd -v -n0 -F config-1 -l config-1-fail.ldif added: "cn=config" (00000001) 51a32d4b str2entry: invalid value for attributeType modifiersName #0 (syntax 1.3.6.1.4.1.1466.115.121.1.12) slapadd: could not parse entry (line=42) _# 7.41% eta none elapsed none spd 1.5 M/s Closing DB... [root@test-centos64 test]# Workaround applied in config-2 with attribute definitions in cn=config [root@test-centos64 test]# diff -u config-1-fail.ldif config-2-ok.ldif --- config-1-fail.ldif 2013-05-27 11:50:35.368253951 +0200 +++ config-2-ok.ldif 2013-05-27 11:49:17.691253291 +0200 @@ -28,6 +28,12 @@ olcTLSVerifyClient: never olcToolThreads: 1 olcWriteTimeout: 0 +olcAttributeTypes: ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) DESC ' + RFC2256: organizational unit this object belongs to' SUP name ) +olcAttributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainCompone + nt' ) DESC 'RFC1274/2247: domain component' EQUALITY caseIgnoreIA5Match SUBST + R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA + LUE ) structuralObjectClass: olcGlobal entryUUID: 3b1e9034-58d9-1032-8161-d3a3b8e342e7 creatorsName: cn=config @@ -86,8 +92,6 @@ ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) olcAttributeTypes: {7}( 2.5.4.10 NAME ( 'o' 'organizationName' ) DESC 'RFC2256 : organization this object belongs to' SUP name ) -olcAttributeTypes: {8}( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) DESC ' - RFC2256: organizational unit this object belongs to' SUP name ) olcAttributeTypes: {9}( 2.5.4.12 NAME 'title' DESC 'RFC2256: title associated with the entity' SUP name ) olcAttributeTypes: {10}( 2.5.4.14 NAME 'searchGuide' DESC 'RFC2256: search gui @@ -193,10 +197,6 @@ olcAttributeTypes: {48}( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbo x' ) DESC 'RFC1274: RFC822 Mailbox' EQUALITY caseIgnoreIA5Match SUBSTR ca seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) -olcAttributeTypes: {49}( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainCompone - nt' ) DESC 'RFC1274/2247: domain component' EQUALITY caseIgnoreIA5Match SUBST - R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA - LUE ) olcAttributeTypes: {50}( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' DE SC 'RFC1274: domain associated with object' EQUALITY caseIgnoreIA5Match SUBST R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) [root@test-centos64 test]# [root@test-centos64 test]# slapadd -v -n0 -F config-2 -l config-2-ok.ldif added: "cn=config" (00000001) added: "cn=module{0},cn=config" (00000001) added: "cn=schema,cn=config" (00000001) added: "cn={0}core,cn=schema,cn=config" (00000001) added: "olcDatabase={-1}frontend,cn=config" (00000001) added: "olcDatabase={0}config,cn=config" (00000001) added: "olcDatabase={1}mdb,cn=config" (00000001) _#################### 100.00% eta none elapsed none fast! Closing DB... [root@test-centos64 test]# Breaks again after a modifiersname is added to cn=config [root@test-centos64 test]# diff -u config-2-ok.ldif config-3-fail.ldif --- config-2-ok.ldif 2013-05-27 11:49:17.691253291 +0200 +++ config-3-fail.ldif 2013-05-27 11:52:57.346255334 +0200 @@ -42,7 +42,7 @@ olcLogLevel: Stats olcLogLevel: Stats2 entryCSN: 20130524161850.764209Z#000000#000#000000 -modifiersName: cn=config +modifiersName: cn=Alice,ou=People,dc=test modifyTimestamp: 20130524161850Z dn: cn=module{0},cn=config [root@test-centos64 test]# [root@test-centos64 test]# slapadd -v -n0 -F config-3 -l config-3-fail.ldif 51a32daf str2entry: invalid value for attributeType modifiersName #0 (syntax 1.3.6.1.4.1.1466.115.121.1.12) slapadd: could not parse entry (line=1) _# 7.35% eta none elapsed none spd 3.0 M/s Closing DB... [root@test-centos64 test]# Sorry if I do not see the obvious. Is there any possibility to get this to work for cn=config as well as entries below cn=config. How much freedom would we have to rearrange the entries und cn=config so we could have the schema defintions read before olcGlobal ? Greetings Christian