Full_Name: Pierre-Emmanuel Brinette Version: 2.2.13 (openldap-2.2.13-6.4E) OS: Scientific Linux 4.4 (RHEL 4.4 clone) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (134.158.71.215)
Hello,
Openldap is used as information provider in a GRID middleware project (http://www.eu-egee.org/). This information provider is known as BDII.
The information about grid nodes are published via openldap.
Until now, the platform supported by the middleware is Scientific Linux 3 (a RHEL 3 clone like CentOS). The openldap version provided with this system is openldap 2.0.27.
We updated our systems with Scientific Linux 4.4 (RHEL 4.4) for new hardware support. The openldap version provided is now 2.2.13.
When I put the new service in production, I find some issues with some attributes that disappears from the directory.
In our openldap schema, we have an attribute declared like this:
attributetype ( 1.3.6.1.4.1.8005.100.2.2.7.1 NAME 'GlueVOViewLocalID' DESC 'Local ID for this VO view' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
This attribute may containt string like these:
GlueVOViewLocalID=dteam GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,
It seem that theses both sample strings are IA5 compliant.
When I ask the openldap server with this request, Ive got different results regarding the openldap version :
------------ Openldap 2.0.27 -----------------------
ldapsearch -x -P3 -H ldap://cclcgtopbdii01.in2p3.fr:2170 -b "GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name=local,o=grid" version: 2
# # filter: (objectclass=*) # requesting: ALL #
# /VO=swetest/GROUP=/swetest/ROLE=swadmin, grid001.fc.up.pt:2119/jobmanager-l cgsge-swetest, UPorto, local, grid dn: GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=g rid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name =local,o=grid objectClass: GlueCETop objectClass: GlueVOView objectClass: GlueCEInfo objectClass: GlueCEState objectClass: GlueCEAccessControlBase objectClass: GlueCEPolicy objectClass: GlueKey objectClass: GlueSchemaVersion GlueVOViewLocalID: /VO=swetest/GROUP=/swetest/ROLE=swadmin GlueCEAccessControlBaseRule: VOMS:/VO=swetest/GROUP=/swetest/ROLE=swadmin GlueCEAccessControlBaseRule: DENY:dteam GlueCEAccessControlBaseRule: DENY:ops GlueCEAccessControlBaseRule: DENY:swetest GlueCEAccessControlBaseRule: DENY:/VO=dteam/GROUP=/dteam/ROLE=lcgadmin GlueCEAccessControlBaseRule: DENY:/VO=dteam/GROUP=/dteam/ROLE=production GlueCEAccessControlBaseRule: DENY:/VO=ops/GROUP=/ops/ROLE=lcgadmin GlueCEStateRunningJobs: 0 GlueCEStateWaitingJobs: 0 GlueCEStateTotalJobs: 0 GlueCEStateFreeJobSlots: 22 GlueCEStateEstimatedResponseTime: 0 GlueCEStateWorstResponseTime: 0 GlueCEInfoDefaultSE: hades.up.pt GlueCEInfoApplicationDir: /vosoft/swetestsoft GlueCEInfoDataDir: unset GlueChunkKey: GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest GlueSchemaVersionMajor: 1 GlueSchemaVersionMinor: 2
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
--------------------- openldap 2.2.13 ------------------------
ldapsearch -P3 -x -H ldap://cclcgtopbdii02.in2p3.fr:2170 -b "GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name=local,o=grid" version: 2
# # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 34 Invalid DN syntax text: invalid DN
# numResponses: 1
---------------------------------------------------
Each time a dn contain an attribute of the following form : "attribute=a_string=another_string,..." (eg: "/VO=swetest/GROUP=/swetest/ROLE=swadmin") openldap 2.2 produce an error "could not parse entry"
In fact, each time the attribute value contain more that one equal ("=") character, openldap failed to handle the string, even though this character is included in the IA5 table.
Best regards.
-
pbrinette@cc.in2p3.fr