Hi all,
while doing some tests to enable accesslog in my directory, I did enable the overlay and then disabled it because of login problems. Once restored the directory, I found a few entries like this:
dn: reqStart=20180509102412.000000Z,BASEDN objectClass: auditModify structuralObjectClass: auditModify REQSTART: 20180509102412.000000Z REQEND: 20180509102412.000001Z REQTYPE: modify REQSESSION: 1679 REQAUTHZID: cn=admin,BASEDN REQDN: cn=gcivitella,ou=users,BASEDN REQRESULT: 0 REQMOD: description:= description utente gcivitella (update check accesslog) REQMOD: entryCSN:= 20180509102412.246481Z#000000#000#000000 REQMOD: modifiersName:= cn=admin,BASEDN REQMOD: modifyTimestamp:= 20180509102412Z REQENTRYUUID: 53620528-9276-1037-8c51-e5b01d96303b entryUUID: dc744658-e7be-1037-9c6f-71aa77ba1fb3 creatorsName: cn=admin,BASEDN createTimestamp: 20180509102412Z entryCSN: 20180509102412.246481Z#000000#000#000000 modifiersName: cn=admin,BASEDN modifyTimestamp: 20180509102412Z
Now I'm unable to delete them. I get an "invalid DN" error:
ldapdelete -D "cn=admin,BASEDN" -W -H ldap://127.0.0.1 -v "reqStart=20180509102412.000000Z,BASEDN"
ldap_initialize( ldap://127.0.0.1:389/??base ) Enter LDAP Password: deleting entry "reqStart=20180509102412.000000Z,BASEDN" ldap_delete: Invalid DN syntax (34) additional info: invalid DN
Is there a way to force the deletion or temporary disable the schema check?
Best regards, Giuseppe
Am Tue, 15 May 2018 10:02:18 +0200 schrieb Giuseppe Civitella giuseppe.civitella@gmail.com:
Hi all,
while doing some tests to enable accesslog in my directory, I did enable the overlay and then disabled it because of login problems. Once restored the directory, I found a few entries like this:
dn: reqStart=20180509102412.000000Z,BASEDN objectClass: auditModify structuralObjectClass: auditModify REQSTART: 20180509102412.000000Z REQEND: 20180509102412.000001Z REQTYPE: modify REQSESSION: 1679 REQAUTHZID: cn=admin,BASEDN REQDN: cn=gcivitella,ou=users,BASEDN REQRESULT: 0 REQMOD: description:= description utente gcivitella (update check accesslog) REQMOD: entryCSN:= 20180509102412.246481Z#000000#000#000000 REQMOD: modifiersName:= cn=admin,BASEDN REQMOD: modifyTimestamp:= 20180509102412Z REQENTRYUUID: 53620528-9276-1037-8c51-e5b01d96303b entryUUID: dc744658-e7be-1037-9c6f-71aa77ba1fb3 creatorsName: cn=admin,BASEDN createTimestamp: 20180509102412Z entryCSN: 20180509102412.246481Z#000000#000#000000 modifiersName: cn=admin,BASEDN modifyTimestamp: 20180509102412Z
Now I'm unable to delete them. I get an "invalid DN" error:
ldapdelete -D "cn=admin,BASEDN" -W -H ldap://127.0.0.1 -v "reqStart=20180509102412.000000Z,BASEDN"
ldap_initialize( ldap://127.0.0.1:389/??base ) Enter LDAP Password: deleting entry "reqStart=20180509102412.000000Z,BASEDN" ldap_delete: Invalid DN syntax (34) additional info: invalid DN
Is there a way to force the deletion or temporary disable the schema check?
It seems that $BASEDN is not a valid DN, check https://ldap.com/ldap-dns-and-rdns read man slapo-accesslog(5) on logpurge
-Dieter
Giuseppe Civitella wrote:
while doing some tests to enable accesslog in my directory, I did enable the overlay and then disabled it because of login problems.
I doubt that you had login problems caused by slapo-accesslog.
Once restored the directory, I found a few entries like this:
dn: reqStart=20180509102412.000000Z,BASEDN objectClass: auditModify structuralObjectClass: auditModify REQSTART: 20180509102412.000000Z REQEND: 20180509102412.000001Z REQTYPE: modify
Is this slapcat output? Did you obfuscate your e-mail with "BASEDN"?
Note that removing slapo-accesslog also removed the object class and attribute type descriptions from your subschema. Typically slapcat outputs names of attribute types missing in subschema all with capital letters.
deleting entry "reqStart=20180509102412.000000Z,BASEDN" ldap_delete: Invalid DN syntax (34) additional info: invalid DN
OpenLDAP server checks schema even for DNs. Hence a DN containing 'reqStart' is an invalid DN if you don't have slapo-accesslog loaded.
Ciao, Michael.
Ciao, Michael,
Yes, it is a slapcat output and it is filtered: BASEDN is just a replacement. I had to remove slapo-accesslog because I was unable to login to the server anymore. So properly delete these entries was not an option for me. This is the origin of the problem.
Thanks, Giuseppe
2018-05-17 10:57 GMT+02:00 Michael Ströder michael@stroeder.com:
Giuseppe Civitella wrote:
while doing some tests to enable accesslog in my directory, I did enable
the
overlay and then disabled it because of login problems.
I doubt that you had login problems caused by slapo-accesslog.
Once restored the directory, I found a few entries like this:
dn: reqStart=20180509102412.000000Z,BASEDN objectClass: auditModify structuralObjectClass: auditModify REQSTART: 20180509102412.000000Z REQEND: 20180509102412.000001Z REQTYPE: modify
Is this slapcat output? Did you obfuscate your e-mail with "BASEDN"?
Note that removing slapo-accesslog also removed the object class and attribute type descriptions from your subschema. Typically slapcat outputs names of attribute types missing in subschema all with capital letters.
deleting entry "reqStart=20180509102412.000000Z,BASEDN" ldap_delete: Invalid DN syntax (34) additional info: invalid DN
OpenLDAP server checks schema even for DNs. Hence a DN containing 'reqStart' is an invalid DN if you don't have slapo-accesslog loaded.
Ciao, Michael.
openldap-technical@openldap.org
-
Dieter Klünter -
Giuseppe Civitella -
Michael Ströder