Hi everyone,
I posting again about my issue on my v2.5.18 OpenLDAP installation on RHEL8. I'm required by an editor to add a custom structural class to the LDAP schema, and especially afterwards to add an index on one interger attribute part of the new class. To that end, in openLdap, I think it means : 1) to my knowledge and following documentation (https://www.openldap.org/doc/admin25/schema.html#Attribute%20Type%20Specific...), I need to declare an ordering matching rule in attribute definition of the schema. However, when I do that with the following olcAttributeTypes definition :
olcAttributeTypes: ( 1.3.6.1.4.1.xxx.x.x.xxx NAME 'last-modified' DESC 'Object Last Modified Time' ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
and try to import the ldif containing this definition, the following error appears: modifying entry "cn={5}clients,cn=schema,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: olcAttributeTypes: AttributeType inappropriate matching rule: "integerOrderingMatch" I tried with all documented OrderingMatch rules in case, but same error modulo name of OrderingMatch rule appears each time, as if syntax and rule of the attribute don't match. Note that I tested the attribute definition without the ORDERING rule, the attribute is correctly added, but search with operators "<=" and ">=" are not working.
2) add an index to y MDB database through, for example, the following ldif: dn: olcDatabase={1}mdb,cn=config add: olcDbIndex olcDbIndex: last-modified <indexKeyword>
However, here, I can't find the index keyword needed for ordering in the documentation... don't know if this is even supported.
Can somebody please help me on those two topics ?
Regards,
--On Sunday, August 4, 2024 4:53 PM +0000 thierryblaise@hotmail.com wrote:
Hi everyone,
I posting again about my issue on my v2.5.18 OpenLDAP installation on RHEL8. I'm required by an editor to add a custom structural class to the LDAP schema, and especially afterwards to add an index on one interger attribute part of the new class. To that end, in openLdap, I think it means :
- to my knowledge and following documentation
(https://www.openldap.org/doc/admin25/schema.html#Attribute%20Type%20Spec ification), I need to declare an ordering matching rule in attribute definition of the schema. However, when I do that with the following olcAttributeTypes definition :
olcAttributeTypes: ( 1.3.6.1.4.1.xxx.x.x.xxx NAME 'last-modified' DESC 'Object Last Modified Time' ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
You failed to specify the EQUALITY matching rule, which is also required.
EQUALITY integerMatch should be defined prior to the ORDERING matching rule.
and try to import the ldif containing this definition, the following error appears: modifying entry "cn={5}clients,cn=schema,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: olcAttributeTypes: AttributeType inappropriate matching rule: "integerOrderingMatch" I tried with all documented OrderingMatch rules in case, but same error modulo name of OrderingMatch rule appears each time, as if syntax and rule of the attribute don't match. Note that I tested the attribute definition without the ORDERING rule, the attribute is correctly added, but search with operators "<=" and ">=" are not working.
- add an index to y MDB database through, for example, the following
ldif: dn: olcDatabase={1}mdb,cn=config add: olcDbIndex olcDbIndex: last-modified <indexKeyword>
However, here, I can't find the index keyword needed for ordering in the documentation... don't know if this is even supported.
Can somebody please help me on those two topics ?
ORDERING requires an EQUALITY index (eq).
--Quanah
Hi Quanah,
Thanks for the answer : indeed, adding the EQUALITY matching rule prior to ORDERING rule in the atttribute definition does the trick, as I can now use the filters used for ordering. However, I quickly searched for this "particularity" in the doc, the RFC, etc. and couldn't find anything about it? Is that specific to openLdap ?
However, for the index, even if "eq" index should be configured, I got this error message trying to add it : dn: olcDatabase={1}mdb,cn=config add: olcDbIndex olcDbIndex: last-modified eq
ldap_initialize( ldapi:///??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 add olcDbIndex: last-modified eq adding new entry "olcDatabase={1}mdb,cn=config" ldap_add: Object class violation (65) additional info: no objectClass attribute
I guess you have an idea what's going on?
Regards,
--On Monday, August 5, 2024 10:09 AM +0000 thierryblaise@hotmail.com wrote:
Hi Quanah,
Thanks for the answer : indeed, adding the EQUALITY matching rule prior to ORDERING rule in the atttribute definition does the trick, as I can now use the filters used for ordering. However, I quickly searched for this "particularity" in the doc, the RFC, etc. and couldn't find anything about it? Is that specific to openLdap ?
However, for the index, even if "eq" index should be configured, I got this error message trying to add it : dn: olcDatabase={1}mdb,cn=config add: olcDbIndex olcDbIndex: last-modified eq
ldap_initialize( ldapi:///??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 add olcDbIndex: last-modified eq adding new entry "olcDatabase={1}mdb,cn=config" ldap_add: Object class violation (65) additional info: no objectClass attribute
I guess you have an idea what's going on?
Your modify statement is invalid. It should be:
dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: last-modified eq
--Quanah
Thanks, and sorry for the rookie mistake. I'm still eager to understand if EQUALITY in cunjunction of ORDERING is a specificity of OpenLDAP or an RFC/documented thing, if you have 2 more minutes ?
On Mon, Aug 05, 2024 at 03:42:48PM -0000, thierryblaise@hotmail.com wrote:
Thanks, and sorry for the rookie mistake. I'm still eager to understand if EQUALITY in cunjunction of ORDERING is a specificity of OpenLDAP or an RFC/documented thing, if you have 2 more minutes ?
A 2-minute search didn't find a direct RFC reference but this part of RFC4512 (https://datatracker.ietf.org/doc/html/rfc4512#section-2.5.1) does make it seem that ORDERING would be pretty useless without an EQUALITY rule:
If no equality matching is specified for the attribute type: [...] - attribute value assertions (such as matching in search filters and comparisons) using values of such a type cannot be performed.
I'd say that without inequality (</<=/...) assertions, the ORDERING rule is pretty meaningless? Someone might be able to find a more explicit reference but this alone would have been enough for me.
Regards,
openldap-technical@openldap.org
-
Ondřej Kuzník -
Quanah Gibson-Mount -
thierryblaise@hotmail.com