Hi,
I am in the process of migrating away from our ancient Oracle DSEE7 directory servers to OpenLDAP 2.4.44-23.el7_9.x86_64. One problem I'm experiencing when importing entries with attribute values encoded in base64 is:
adding new entry "cn=LastName,ou=People,dc=cs,dc=university,dc=edu" ldap_add: Invalid syntax (21) additional info: gecos: value #0 invalid per syntax
dn: cn=nis,cn=schema,cn=config objectClass: olcSchemaConfig cn: nis olcAttributeTypes: ( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field; the common name' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
In this example, the "gecos" attribute has the first name "Jérémie", e.g., "gecos:: SsOpcsOpbWll". When I decode it using `base64 -d` it decodes just fine. Why can I not import this base64 encoded value, and others, using ldapadd? I'm binding as olcRootDN which has the appropriate permission, manage, as far as I can tell but have also used SASL EXTERNAL--same results.
Do I need to decode these values in my LDIF file first? I've scoured the internet and the archives here, so forgive me if I've missed a glaringly obvious thread.
Another note, I've used `./dsconf export --no-repl [...]` to avoid the DSEE7 sync-repl operational cruft. I still had some cleaning up to do, but I still don't understand why the base64 values are a hard stop.
Thanks in advance, Brian
harklib@protonmail.com wrote:
Hi,
I am in the process of migrating away from our ancient Oracle DSEE7 directory servers to OpenLDAP 2.4.44-23.el7_9.x86_64. One problem I'm experiencing when importing entries with attribute values encoded in base64 is:
adding new entry "cn=LastName,ou=People,dc=cs,dc=university,dc=edu" ldap_add: Invalid syntax (21) additional info: gecos: value #0 invalid per syntax dn: cn=nis,cn=schema,cn=config objectClass: olcSchemaConfig cn: nis olcAttributeTypes: ( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field; the common name' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )In this example, the "gecos" attribute has the first name "Jérémie", e.g., "gecos:: SsOpcsOpbWll". When I decode it using `base64 -d` it decodes just fine. Why can I not import this base64 encoded value, and others, using ldapadd? I'm binding as olcRootDN which has the appropriate permission, manage, as far as I can tell but have also used SASL EXTERNAL--same results.
Do I need to decode these values in my LDIF file first? I've scoured the internet and the archives here, so forgive me if I've missed a glaringly obvious thread.
The IA5 syntax only allows plain ASCII characters, not accented characters. This has nothing to do with the fact that the value was base64 encoded (although clearly the value got encoded because it is not printable in plain ASCII).
Your DSEE7 server accepted these values because DSEE did not schema validation on any of its data, thus letting you store non-compliant garbage in your directory. You're going to need to clean up your data before importing into OpenLDAP. Either by changing values to be schema compliant, or by using attributes from your own custom schema definitions to accomodate the values you're working with.
Another note, I've used `./dsconf export --no-repl [...]` to avoid the DSEE7 sync-repl operational cruft. I still had some cleaning up to do, but I still don't understand why the base64 values are a hard stop.
Thanks in advance, Brian
--On Thursday, May 6, 2021 3:21 PM +0000 harklib@protonmail.com wrote:
Hi,
I am in the process of migrating away from our ancient Oracle DSEE7 directory servers to OpenLDAP 2.4.44-23.el7_9.x86_64.
Why are you migrating to a release that's over 5 years old? I'd strongly advise saving time and migrating to a current supported release. If you're on RHEL7, Symas offers free drop in replacements for the ancient cruft shipped by RH:
https://repo.symas.com/sofl/rhel7/
The LTB project also offers current builds of OpenLDAP:
https://ltb-project.org/documentation/openldap-rpm#yum_repository
One problem I'm experiencing when importing entries with attribute values encoded in base64 is:
adding new entry "cn=LastName,ou=People,dc=cs,dc=university,dc=edu" ldap_add: Invalid syntax (21) additional info: gecos: value #0 invalid per syntax
In this example, the "gecos" attribute has the first name "Jérémie", e.g., "gecos:: SsOpcsOpbWll". When I decode it using `base64 -d` it decodes just fine. Why can I not import this base64 encoded value, and others, using ldapadd? I'm binding as olcRootDN which has the appropriate permission, manage, as far as I can tell but have also used SASL EXTERNAL--same results.
Does the decoded version actually import successfully? You note it decodes just fine, but you didn't say if you can actually import it at that point.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
harklib@protonmail.com -
Howard Chu -
Quanah Gibson-Mount