Hi folks,
I added the following to my schema directory: dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser$ sudoHost $ sudoCommand $ sudoRunAs $ sudoOption $ description ) X-ORIGIN 'SUDO' )
and referenced it in slapd.conf as: include /etc/openldap/schema/sudoers.schema
When I try to add this: dn: cn=SU_WGADMIN,ou=SUDOers,dc=geni,dc=com sudoHost: +srv-web sudoHost: +srv-rs sudoHost: +srv-memc sudoHost: +srv-db sudoHost: +srv-admin sudoHost: +srv-office sudoHost: +srv-solr sudoHost: +srv-sn sudoCommand: /bin/su - wgadmin sudoCommand: /bin/su -l wgadmin sudoCommand: /bin/su -l qa sudoCommand: /bin/su - qa sudoOption: !authenticate objectClass: top objectClass: sudoRole cn: SU_WGADMIN sudoUser: +ppl-eng sudoUser: +fp-automation
I get the error: add sudoHost: +srv-web +srv-rs +srv-memc +srv-db +srv-admin +srv-office +srv-solr +srv-sn add sudoCommand: /bin/su - wgadmin /bin/su -l wgadmin /bin/su -l qa /bin/su - qa add sudoOption: !authenticate add objectClass: top sudorole add cn: SU_WGADMIN add sudoUser: +ppl-eng +fp-automation adding new entry "cn=SU_WGADMIN,ou=SUDOers,dc=geni,dc=com" modify complete ldap_add: Invalid syntax (21) additional info: objectClass: value #1 invalid per syntax
Trimming things down to just dn: cn=SU_WGADMIN,ou=SUDOers,dc=geni,dc=com objectClass: top objectClass: sudoRole cn: SU_WGADMIN produces the same error, which makes sense. Reversing top and sudoRole migrates the error from value #1 to value #0, which also makes sense.
On reviewing the list of available objectClasses with the GQ application, I can't find the objectClass sudoRole, although I _can_ find the five attributes, in the attribute list.
I can't find a log that might tell me what is being loaded, and slapd starts without error.
I also can't figure out how to dump the schemas with ldapsearch or any other command, so I can check to see for myself what's in there.
Can anybody tell me what might be wrong, or how to continue to investigate the problem?
Thanks,
</edg>
I added the following to my schema directory: dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
[...etc...]
and referenced it in slapd.conf as: include /etc/openldap/schema/sudoers.schema
This looks like you're mixing a classic config file and a back-config configuration. My guess is you need to include sudoers.schema using back-config.
On reviewing the list of available objectClasses with the GQ application, I can't find the objectClass sudoRole, although I _can_ find the five attributes, in the attribute list.
Eh, or maybe there's something worse going on...
I also can't figure out how to dump the schemas with ldapsearch or any other command, so I can check to see for myself what's in there.
All gq is doing is searching under "cn=Subschema" base. You can do that with ldapsearch.
Your real debugging maneuver, assuming you're in a position to do this, is to restart slapd with "-d config" debug option.
Aaron Richton wrote:
I added the following to my schema directory: dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
[...etc...]
and referenced it in slapd.conf as: include /etc/openldap/schema/sudoers.schema
This looks like you're mixing a classic config file and a back-config configuration. My guess is you need to include sudoers.schema using back-config.
It's not the correct syntax for either cn=config or slapd.conf. Remember that in 2.3 and earlier, invalid keywords in slapd.conf are silently ignored...
Howard Chu wrote:
Aaron Richton wrote:
I added the following to my schema directory: dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
[...etc...]
and referenced it in slapd.conf as: include /etc/openldap/schema/sudoers.schema
This looks like you're mixing a classic config file and a back-config configuration. My guess is you need to include sudoers.schema using back-config.
It's not the correct syntax for either cn=config or slapd.conf. Remember that in 2.3 and earlier, invalid keywords in slapd.conf are silently ignored...
Many good answers, for which I'm thankful...
The problem turns out to be a syntax error, not in the attributes but in the object class:
Resolved by changing
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 ...
to
objectClass ( 1.3.6.1.4.1.15953.9.2.1 ...
To match the example in http://www.openldap.org/doc/admin24/schema.html, section 12.2.5.2.
Thanks, all
</edg>
On Tuesday 10 June 2008 00:34:02 Ed Greenberg wrote:
Howard Chu wrote:
Aaron Richton wrote:
I added the following to my schema directory: dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
This is an LDIF-format schema file, typically for use with FDS/Sun JES/Netscape etc. Why don't you use the sudo.schema provided for OpenLDAP instead?
(or, you can grab it here: http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/openldap/current/... )
[...etc...]
and referenced it in slapd.conf as: include /etc/openldap/schema/sudoers.schema
This looks like you're mixing a classic config file and a back-config configuration. My guess is you need to include sudoers.schema using back-config.
It's not the correct syntax for either cn=config or slapd.conf. Remember that in 2.3 and earlier, invalid keywords in slapd.conf are silently ignored...
Many good answers, for which I'm thankful...
The problem turns out to be a syntax error, not in the attributes but in the object class:
Resolved by changing
objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 ...
to
objectClass ( 1.3.6.1.4.1.15953.9.2.1 ...
But, it works because it is ignoring the ldif parts, and you've broken the ldif parts to look like a normal OpenLDAP schema definition ... now technically the file is neither ...
Regards, Buchan
Buchan Milne wrote:
This is an LDIF-format schema file, typically for use with FDS/Sun JES/Netscape etc. Why don't you use the sudo.schema provided for OpenLDAP instead?
What I used what what I found by googling. I'm a beginner. I appreciate the pointer. I'm still learning where things are. Where is sudo.schema, and similar resources, provided (besides the SVN listed below?)
(or, you can grab it here: http://svn.mandriva.com/cgi-bin/viewvc.cgi/packages/cooker/openldap/current/... )
But, it works because it is ignoring the ldif parts, and you've broken the ldif parts to look like a normal OpenLDAP schema definition ... now technically the file is neither ...
OK, we'll get this cleaned up, and get my understanding cleaned up in the process. Many thanks.
</edg>
----- "Ed Greenberg" edg@greenberg.org ha scritto:
Hi folks,
I added the following to my schema directory: dn: cn=schema attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' ) objectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser$ sudoHost
You're probably missing a whitespace between "sudoUser" and the "$". I guess you're using OpenLDAP 2.3, which happens to often ignore errors instead of bailing out. Run slapd with -d config to get at least a warning message, or migrate to 2.4, which is pickier about syntax errors.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org
-
Aaron Richton -
Buchan Milne -
Ed Greenberg -
Howard Chu -
Pierangelo Masarati