Ulrich Windl wrote:
>>> Michael Ströder <michael(a)stroeder.com> schrieb am
29.08.2019 um 16:34 in
> On 8/29/19 8:32 AM, Ulrich Windl wrote:
>>>>> Quanah Gibson-Mount <quanah(a)symas.com> schrieb am 28.08.2019 um
>> Nachricht <F0468E4D7DD097415B5FC5C1(a)[192.168.1.144]>:
>>> ‑‑On Wednesday, August 28, 2019 11:02 AM +0200 Ulrich Windl
>>> <Ulrich.Windl(a)rz.xn--uniregensburg-dm6g.de> wrote:
>>>> After systemd tearing down one of our LDAP servers I noticed the
>>>> following message when the server was restarted: slapd: UNKNOWN
>>>> attributeDescription "AUDITCONTEXT" inserted.
>>>> The schema knows in olcAttributeTypes (olcSchemaConfig):
>>>> ( 188.8.131.52.4.1.4203.6184.108.40.206.30 NAME 'auditContext' DESC 'DN
>>>> auditContainer' SYNTAX 220.127.116.11.4.1.1418.104.22.168.12 SINGLE‑VALUE
>>>> NO‑USER‑MODIFICATION USAGE dSAOperation )
>>>> What I'l like to know: Is there any thing I could fix in the
>>>> configuration to make the message go away, or is it some software issue
>>>> in slapd?
>>> I've seen this when an attribute is introduced into the cn=config
>>> that's not part of the built‑in slapd schema. It can be harmless in
>> I grepped for the attribute in external schema files, but didn't find it.
>> found it when querying slapd, I conclude that the definition shown above
>> be build into slapd.
> Attribute type description 'auditContext' and all other schema
> definitions for accesslog overlay are defined in C code of
> slapo-accesslog. If you don't load slapo-accesslog then you normally
> don't see the schema.
> I don't know what inconsistent content your cn=config has though.
Still I don't quite understand it: It seems the attribute is also in the
config database (dn: cn=schema,cn=config), so why is it unknown when slapd
starts? It cannot be the reason that the schema is provided by an overlay. That
would apply when starting the first time only, maybe (when the schema database
isn't populated yet by the overlay).
The contents of the file corresponding to cn=schema are always ignored, and the actual
runtime contents of the cn=schema entry are always the actual hardcoded schema in the
slapd process. As such, you should only trust the contents of an ldapsearch of the
cn=schema,cn=config entry, and always disregard whatever was stored in the file.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/