Re: (ITS#5064) Issues with openldap 2.2 (Error 34 Invalid DN syntax ) - openldap-bugs

27 Jul 2007


      pbrinette@cc.in2p3.fr wrote:
...
Openldap is used as information provider in a GRID middleware project
(http://www.eu-egee.org/). This information provider is known as BDII.
The information about grid nodes are published via openldap.
Until now, the platform supported by the middleware is Scientific Linux 3 (a
RHEL 3 clone like CentOS). The openldap version provided with this system is
openldap 2.0.27.
We updated our systems with Scientific Linux 4.4 (RHEL 4.4) for new hardware
support. The openldap version provided is now 2.2.13.
When I put the new service in production, I find some issues with some
attributes that disappears from the directory.
In our openldap schema, we have an attribute declared like this:
attributetype ( 1.3.6.1.4.1.8005.100.2.2.7.1
    NAME        'GlueVOViewLocalID'
    DESC        'Local ID for this VO view'
    EQUALITY    caseIgnoreIA5Match
    SUBSTR      caseIgnoreIA5SubstringsMatch
    SYNTAX      1.3.6.1.4.1.1466.115.121.1.26
    SINGLE-VALUE)
This attribute may containt string like these:
GlueVOViewLocalID=dteam
GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,
It seem that theses both sample strings are IA5 compliant.
When I ask the openldap server with this request, Ive got different results
regarding the openldap version :
------------ Openldap 2.0.27 -----------------------
ldapsearch -x  -P3 -H ldap://cclcgtopbdii01.in2p3.fr:2170 -b
"GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name=local,o=grid"
version: 2
#
# filter: (objectclass=*)
# requesting: ALL
#
# /VO=swetest/GROUP=/swetest/ROLE=swadmin, grid001.fc.up.pt:2119/jobmanager-l
 cgsge-swetest, UPorto, local, grid
dn: GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=g
 rid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name
 =local,o=grid
objectClass: GlueCETop
objectClass: GlueVOView
objectClass: GlueCEInfo
objectClass: GlueCEState
objectClass: GlueCEAccessControlBase
objectClass: GlueCEPolicy
objectClass: GlueKey
objectClass: GlueSchemaVersion
GlueVOViewLocalID: /VO=swetest/GROUP=/swetest/ROLE=swadmin
GlueCEAccessControlBaseRule: VOMS:/VO=swetest/GROUP=/swetest/ROLE=swadmin
GlueCEAccessControlBaseRule: DENY:dteam
GlueCEAccessControlBaseRule: DENY:ops
GlueCEAccessControlBaseRule: DENY:swetest
GlueCEAccessControlBaseRule: DENY:/VO=dteam/GROUP=/dteam/ROLE=lcgadmin
GlueCEAccessControlBaseRule: DENY:/VO=dteam/GROUP=/dteam/ROLE=production
GlueCEAccessControlBaseRule: DENY:/VO=ops/GROUP=/ops/ROLE=lcgadmin
GlueCEStateRunningJobs: 0
GlueCEStateWaitingJobs: 0
GlueCEStateTotalJobs: 0
GlueCEStateFreeJobSlots: 22
GlueCEStateEstimatedResponseTime: 0
GlueCEStateWorstResponseTime: 0
GlueCEInfoDefaultSE: hades.up.pt
GlueCEInfoApplicationDir: /vosoft/swetestsoft
GlueCEInfoDataDir: unset
GlueChunkKey: GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest
GlueSchemaVersionMajor: 1
GlueSchemaVersionMinor: 2
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
--------------------- openldap 2.2.13 ------------------------
ldapsearch -P3 -x -H ldap://cclcgtopbdii02.in2p3.fr:2170 -b
"GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name=local,o=grid"
version: 2
#
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 34 Invalid DN syntax
text: invalid DN
# numResponses: 1

Each time a dn contain an attribute of the following form :
 "attribute=a_string=another_string,..." (eg:
"/VO=swetest/GROUP=/swetest/ROLE=swadmin") openldap 2.2 produce an error "could
not parse entry"
In fact, each time the attribute value contain more that one equal ("=")
character, openldap failed to handle the string, even though this character is 
included in the IA5 table.
Best regards.
1) both 2.0 and 2.2 are ancient.  OpenLDAP 2.3 is mature, and 2.4 is 
about to exit beta stage.  Unless the problem is related to a real 
software bug, and it persists either in HEAD/2.4 or in 2.3 code, this 
ITS will be closed.
2) were GlueCEUniqueID and mds-vo-name declared anywhere?  There seems 
to be nothing wrong with your DN per se; in fact, dntest yields
$ dntest \
'GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name=local,o=grid'
ldap_rdn2str() = 
"GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\
3Dswadmin"
         ldap_rdn2str() = 
"GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge
-swetest"
         ldap_rdn2str() = "mds-vo-name=UPorto"
         ldap_rdn2str() = "mds-vo-name=local"
         ldap_rdn2str() = "o=grid"
ldap_dn2str(ldap_str2dn("GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadm
in,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UP
orto,mds-vo-name=local,o=grid"))
         = 
"GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin,GlueC
EUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds
-vo-name=local,o=grid"
ldap_dn2domain("GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCE
UniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-
vo-name=local,o=grid")
         = ""
ldap_dn2ufn("GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUni
queID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-
name=local,o=grid")
         = "/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin, 
grid001.fc.up.pt:2119/
jobmanager-lcgsge-swetest, UPorto, local, grid"
ldap_dn2dcedn("GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEU
niqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-v
o-name=local,o=grid")
         = 
"/o=grid/mds-vo-name=local/mds-vo-name=UPorto/GlueCEUniqueID=grid001.f
c.up.pt:2119/jobmanager-lcgsge-swetest/GlueVOViewLocalID=/VO=swetest/GROUP=
/swetest/ROLE=swadmin"
ldap_dcedn2dn("/o=grid/mds-vo-name=local/mds-vo-name=UPorto/GlueCEUniqueID=grid0
01.fc.up.pt:2119/jobmanager-lcgsge-swetest/GlueVOViewLocalID=/VO=swetest/GRO
UP=/swetest/ROLE=swadmin")
         = 
"GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin,GlueC
EUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds
-vo-name=local,o=grid"
ldap_dn2ad_canonical("GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,
GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPort
o,mds-vo-name=local,o=grid")
         = 
"grid/local/UPorto/grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest//
VO=swetest/GROUP=/swetest/ROLE=swadmin/"
ldap_explode_dn("GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin
,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPor
to,mds-vo-name=local,o=grid"):
         "GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin"
ldap_explode_rdn("GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\
3Dswadmin")
'GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin
'
ldap_explode_rdn("GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\
3Dswadmin") (no types)
                         "/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin"
         "GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest"
ldap_explode_rdn("GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge
-swetest")
'GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest'
ldap_explode_rdn("GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge
-swetest") (no types)
                         "grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest"
         "mds-vo-name=UPorto"
         ldap_explode_rdn("mds-vo-name=UPorto")
                 'mds-vo-name=UPorto'
         ldap_explode_rdn("mds-vo-name=UPorto") (no types)
                         "UPorto"
         "mds-vo-name=local"
         ldap_explode_rdn("mds-vo-name=local")
                 'mds-vo-name=local'
         ldap_explode_rdn("mds-vo-name=local") (no types)
                         "local"
         "o=grid"
         ldap_explode_rdn("o=grid")
                 'o=grid'
         ldap_explode_rdn("o=grid") (no types)
                         "grid"
ldap_explode_dn("GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin
,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPor
to,mds-vo-name=local,o=grid") (no types):
         "/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin"
         "grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest"
         "UPorto"
         "local"
         "grid"
"GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin,GlueCEUniqueID=
grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name=l
ocal,o=grid"
          == 
"GlueVOViewLocalID=/VO\3Dswetest/GROUP\3D/swetest/ROLE\3Dswadmin,Glu
eCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,m
ds-vo-name=local,o=grid" ? yes
But apparently some attribute declarations are missing; in fact, slapdn 
(after declaring GlueVOViewLocalID as indicated above) yields
slapdn -f testrun/slapd.1.conf 
'GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name=local,o=grid'
DN: 
<GlueVOViewLocalID=/VO=swetest/GROUP=/swetest/ROLE=swadmin,GlueCEUniqueID=grid001.fc.up.pt:2119/jobmanager-lcgsge-swetest,mds-vo-name=UPorto,mds-vo-name=local,o=grid> 
check failed 21 (Invalid syntax)
where the failure refers exactly to the fact that GlueCEUniqueID was not 
declared.
p.
PS: don't look for those tools in ancient software; they've been 
introduced only in recent times (dntest: October 2001; slapdn: March 2004).
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------