Hi,
I'm using the refint overlay with a few attributes, but I can't get it
to work with krbPwdPolicyReference from MIT kerberos 1.7. I get the
error from the subject when deleting the entry this attribute
references.
If, however, I *rename* the entry, the krbPwdPolicyReference attribute
gets updated correctly. It seems to fail only when I remove the entry.
This is the config:
dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
objectClass: olcRefintConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: krbObjectReferences
olcRefintAttribute: member
olcRefintAttribute: krbPwdPolicyReference
olcRefintNothing: cn=localroot,cn=config
This is the entry which has the attribute pointing to the entry I will
remove (some attributes omitted for brevity):
dn: krbPrincipalName=andreas(a)EXAMPLE.COM,cn=EXAMPLE.COM,ou=Kerberos Realms,dc=
example,dc=com
krbPrincipalName: andreas(a)EXAMPLE.COM
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
krbObjectReferences: uid=andreas,ou=people,dc=example,dc=com
krbPwdPolicyReference: cn=default,cn=EXAMPLE.COM,ou=Kerberos Realms,dc=example
,dc=com
This is the entry I'm deleting. I would expect the
krbPwdPolicyReference attribute from my entry above to be deleted. If
I rename this cn=default, then krbPwdPolicyReference gets updated
correctly.
dn: cn=default,cn=EXAMPLE.COM,ou=Kerberos Realms,dc=example,dc=com
cn: default
objectClass: krbPwdPolicy
krbMaxPwdLife: 36000
krbMinPwdLife: 0
krbPwdMinDiffChars: 1
krbPwdMinLength: 1
krbPwdHistoryLength: 1
These are the relevant logs (level 16383):
Oct 7 16:55:33 maestro slapd[6381]: refint_search_cb <NOTHING>
Oct 7 16:55:33 maestro slapd[6381]: ==> unique_modify
<krbPrincipalName=andreas(a)EXAMPLE.COM,cn=EXAMPLE.COM,ou=Kerberos
Realms,dc=example,dc=com>
Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: ndn:
"krbPrincipalName=andreas(a)EXAMPLE.COM,cn=example.com,ou=kerberos
realms,dc=example,dc=com"
Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: oc: "(null)",
at: "(null)"
Oct 7 16:55:33 maestro slapd[6381]:
bdb_dn2entry("krbPrincipalName=andreas(a)EXAMPLE.COM,cn=example.com,ou=kerberos
realms,dc=example,dc=com")
Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: found entry:
"krbPrincipalName=andreas(a)EXAMPLE.COM,cn=example.com,ou=kerberos
realms,dc=example,dc=com"
Oct 7 16:55:33 maestro slapd[6381]: bdb_entry_get: rc=0
Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: ndn:
"krbPrincipalName=andreas(a)EXAMPLE.COM,cn=example.com,ou=kerberos
realms,dc=example,dc=com"
Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: oc: "(null)",
at: "(null)"
Oct 7 16:55:33 maestro slapd[6381]:
bdb_dn2entry("krbPrincipalName=andreas(a)EXAMPLE.COM,cn=example.com,ou=kerberos
realms,dc=example,dc=com")
Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: found entry:
"krbPrincipalName=andreas(a)EXAMPLE.COM,cn=example.com,ou=kerberos
realms,dc=example,dc=com"
Oct 7 16:55:33 maestro slapd[6381]: bdb_entry_get: rc=0
Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: ndn:
"cn=default,ou=password policies,dc=example,dc=com"
Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: oc: "(null)",
at: "(null)"
Oct 7 16:55:33 maestro slapd[6381]:
bdb_dn2entry("cn=default,ou=password policies,dc=example,dc=com")
Oct 7 16:55:33 maestro slapd[6381]: => bdb_entry_get: found entry:
"cn=default,ou=password policies,dc=example,dc=com"
Oct 7 16:55:33 maestro slapd[6381]: bdb_entry_get: rc=0
Oct 7 16:55:33 maestro slapd[6381]: hdb_modify:
krbPrincipalName=andreas(a)EXAMPLE.COM,cn=EXAMPLE.COM,ou=Kerberos
Realms,dc=example,dc=com
Oct 7 16:55:33 maestro slapd[6381]:
bdb_dn2entry("krbPrincipalName=andreas(a)EXAMPLE.COM,cn=example.com,ou=kerberos
realms,dc=example,dc=com")
Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: 0x00000042:
krbPrincipalName=andreas(a)EXAMPLE.COM,cn=EXAMPLE.COM,ou=Kerberos
Realms,dc=example,dc=com
Oct 7 16:55:33 maestro slapd[6381]: <= acl_access_allowed: granted to
database root
Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: delete
krbPwdPolicyReference
Oct 7 16:55:33 maestro slapd[6381]: dnMatch
0#012#011"cn=default,cn=example.com,ou=kerberos
realms,dc=example,dc=com"#012#011"cn=default,cn=example.com,ou=kerberos
realms,dc=example,dc=com"
Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: replace modifiersName
Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: delete
krbPwdPolicyReference
Oct 7 16:55:33 maestro slapd[6381]: bdb_modify_internal: 16
modify/delete: krbPwdPolicyReference: no such attribute
Oct 7 16:55:33 maestro slapd[6381]: hdb_modify: modify failed (16)
Oct 7 16:55:33 maestro slapd[6381]: send_ldap_result: conn=-1 op=0 p=0
Oct 7 16:55:33 maestro slapd[6381]: send_ldap_result: err=16
matched="" text="modify/delete: krbPwdPolicyReference: no such
attribute"
Oct 7 16:55:33 maestro slapd[6381]: refint_repair: dependent modify failed: 16
Any hints?