Hi!
After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted: slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
The next line logged was: slapd[10525]: olcServerID: value #1: SID=0x002 (listener=ldap://...:389)
(the server is that of SLES12 SP4, 2.4.41 from opensuse-buildservice)
The server is one of three MM servers that all have the same configuration and the same version.
The schema knows in olcAttributeTypes (olcSchemaConfig): ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd?
Regards, Ulrich
--On Wednesday, August 28, 2019 11:02 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
Hi!
After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted: slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
The next line logged was: slapd[10525]: olcServerID: value #1: SID=0x002 (listener=ldap://...:389)
(the server is that of SLES12 SP4, 2.4.41 from opensuse-buildservice)
The server is one of three MM servers that all have the same configuration and the same version.
The schema knows in olcAttributeTypes (olcSchemaConfig): ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd?
I've seen this when an attribute is introduced into the cn=config database that's not part of the built-in slapd schema. It can be harmless in that case.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount quanah@symas.com schrieb am 28.08.2019 um 15:56 in
Nachricht <F0468E4D7DD097415B5FC5C1@[192.168.1.144]>:
‑‑On Wednesday, August 28, 2019 11:02 AM +0200 Ulrich Windl <Ulrich.Windl@rz.uni‑regensburg.de> wrote:
Hi!
After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted: slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
The next line logged was: slapd[10525]: olcServerID: value #1: SID=0x002 (listener=ldap://...:389)
(the server is that of SLES12 SP4, 2.4.41 from opensuse‑buildservice)
The server is one of three MM servers that all have the same configuration and the same version.
The schema knows in olcAttributeTypes (olcSchemaConfig): ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE‑VALUE NO‑USER‑MODIFICATION USAGE dSAOperation )
What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd?
I've seen this when an attribute is introduced into the cn=config database that's not part of the built‑in slapd schema. It can be harmless in that case.
I grepped for the attribute in external schema files, but didn't find it. As I found it when querying slapd, I conclude that the definition shown above must be build into slapd.
‑‑Quanah
‑‑
Quanah Gibson‑Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Thursday, August 29, 2019 9:32 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
I've seen this when an attribute is introduced into the cn=config database that's not part of the built‑in slapd schema. It can be harmless in that case.
I grepped for the attribute in external schema files, but didn't find it. As I found it when querying slapd, I conclude that the definition shown above must be build into slapd.
Using the power of the source, auditcontext is defined in the slapo-accesslog overlay.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Quanah Gibson-Mount quanah@symas.com schrieb am 29.08.2019 um 15:41 in
Nachricht <2B407C076711C27AEF9EBD7E@[192.168.1.144]>:
--On Thursday, August 29, 2019 9:32 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
I've seen this when an attribute is introduced into the cn=config database that's not part of the built‑in slapd schema. It can be harmless in that case.
I grepped for the attribute in external schema files, but didn't find it. As I found it when querying slapd, I conclude that the definition shown above must be build into slapd.
Using the power of the source, auditcontext is defined in the slapo-accesslog overlay.
Right,
found it there: ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
But I did not find an object definition that uses that attribute (any more). At least not in that module. My guess is that "auditContext: cn=audit" was valid some time in the past, but isn't any more. Still cn=audit continues to work as base DN.
Late response, sorry.
Regards, Ulrich
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Ulrich Windl wrote:
Quanah Gibson-Mount quanah@symas.com schrieb am 29.08.2019 um 15:41 in
Nachricht <2B407C076711C27AEF9EBD7E@[192.168.1.144]>:
--On Thursday, August 29, 2019 9:32 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
I've seen this when an attribute is introduced into the cn=config database that's not part of the built‑in slapd schema. It can be harmless in that case.
I grepped for the attribute in external schema files, but didn't find it. As I found it when querying slapd, I conclude that the definition shown above must be build into slapd.
Using the power of the source, auditcontext is defined in the slapo-accesslog overlay.
Right,
found it there: ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
But I did not find an object definition that uses that attribute (any more).
It is clearly an operational attribute.
Howard Chu hyc@symas.com schrieb am 22.07.2020 um 19:49 in Nachricht
dbfb1513-f1ef-d44e-a2f6-c5533a530884@symas.com:
Ulrich Windl wrote:
Quanah Gibson-Mount quanah@symas.com schrieb am 29.08.2019 um 15:41
in
Nachricht <2B407C076711C27AEF9EBD7E@[192.168.1.144]>:
--On Thursday, August 29, 2019 9:32 AM +0200 Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de wrote:
I've seen this when an attribute is introduced into the cn=config database that's not part of the built‑in slapd schema. It can be harmless in that case.
I grepped for the attribute in external schema files, but didn't find
it.
As I found it when querying slapd, I conclude that the definition shown above must be build into slapd.
Using the power of the source, auditcontext is defined in the slapo-accesslog overlay.
Right,
found it there: ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
But I did not find an object definition that uses that attribute (any
more).
It is clearly an operational attribute.
Now I see it, too ;-)
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On 8/29/19 8:32 AM, Ulrich Windl wrote:
Quanah Gibson-Mount quanah@symas.com schrieb am 28.08.2019 um 15:56 in
Nachricht <F0468E4D7DD097415B5FC5C1@[192.168.1.144]>:
‑‑On Wednesday, August 28, 2019 11:02 AM +0200 Ulrich Windl <Ulrich.Windl@rz.uni‑regensburg.de> wrote:
After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted: slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted. [..] The schema knows in olcAttributeTypes (olcSchemaConfig): ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE‑VALUE NO‑USER‑MODIFICATION USAGE dSAOperation )
What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd?
I've seen this when an attribute is introduced into the cn=config database that's not part of the built‑in slapd schema. It can be harmless in that case.
I grepped for the attribute in external schema files, but didn't find it. As I found it when querying slapd, I conclude that the definition shown above must be build into slapd.
Attribute type description 'auditContext' and all other schema definitions for accesslog overlay are defined in C code of slapo-accesslog. If you don't load slapo-accesslog then you normally don't see the schema.
I don't know what inconsistent content your cn=config has though.
Ciao, Michael.
Michael Ströder michael@stroeder.com schrieb am 29.08.2019 um 16:34 in
Nachricht 37c75ce9-b21e-9380-9f71-72c40086b01e@stroeder.com:
On 8/29/19 8:32 AM, Ulrich Windl wrote:
Quanah Gibson-Mount quanah@symas.com schrieb am 28.08.2019 um 15:56
in
Nachricht <F0468E4D7DD097415B5FC5C1@[192.168.1.144]>:
‑‑On Wednesday, August 28, 2019 11:02 AM +0200 Ulrich Windl <Ulrich.Windl@rz.uni‑regensburg.de> wrote:
After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted: slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted. [..] The schema knows in olcAttributeTypes (olcSchemaConfig): ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE‑VALUE NO‑USER‑MODIFICATION USAGE dSAOperation )
What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd?
I've seen this when an attribute is introduced into the cn=config database
that's not part of the built‑in slapd schema. It can be harmless in that
case.
I grepped for the attribute in external schema files, but didn't find it.
As
I
found it when querying slapd, I conclude that the definition shown above
must
be build into slapd.
Attribute type description 'auditContext' and all other schema definitions for accesslog overlay are defined in C code of slapo-accesslog. If you don't load slapo-accesslog then you normally don't see the schema.
I don't know what inconsistent content your cn=config has though.
Still I don't quite understand it: It seems the attribute is also in the config database (dn: cn=schema,cn=config), so why is it unknown when slapd starts? It cannot be the reason that the schema is provided by an overlay. That would apply when starting the first time only, maybe (when the schema database isn't populated yet by the overlay).
Regards, Ulrich
Ciao, Michael.
Ulrich Windl wrote:
Michael Ströder michael@stroeder.com schrieb am 29.08.2019 um 16:34 in
Nachricht 37c75ce9-b21e-9380-9f71-72c40086b01e@stroeder.com:
On 8/29/19 8:32 AM, Ulrich Windl wrote:
Quanah Gibson-Mount quanah@symas.com schrieb am 28.08.2019 um 15:56
in
Nachricht <F0468E4D7DD097415B5FC5C1@[192.168.1.144]>:
‑‑On Wednesday, August 28, 2019 11:02 AM +0200 Ulrich Windl <Ulrich.Windl@rz.uni‑regensburg.de> wrote:
After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted: slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted. [..] The schema knows in olcAttributeTypes (olcSchemaConfig): ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE‑VALUE NO‑USER‑MODIFICATION USAGE dSAOperation )
What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd?
I've seen this when an attribute is introduced into the cn=config database
that's not part of the built‑in slapd schema. It can be harmless in that
case.
I grepped for the attribute in external schema files, but didn't find it.
As
I
found it when querying slapd, I conclude that the definition shown above
must
be build into slapd.
Attribute type description 'auditContext' and all other schema definitions for accesslog overlay are defined in C code of slapo-accesslog. If you don't load slapo-accesslog then you normally don't see the schema.
I don't know what inconsistent content your cn=config has though.
Still I don't quite understand it: It seems the attribute is also in the config database (dn: cn=schema,cn=config), so why is it unknown when slapd starts? It cannot be the reason that the schema is provided by an overlay. That would apply when starting the first time only, maybe (when the schema database isn't populated yet by the overlay).
http://www.openldap.org/doc/admin24/slapdconf2.html
Section 5.2.3
The contents of the file corresponding to cn=schema are always ignored, and the actual runtime contents of the cn=schema entry are always the actual hardcoded schema in the slapd process. As such, you should only trust the contents of an ldapsearch of the cn=schema,cn=config entry, and always disregard whatever was stored in the file.
Howard Chu hyc@symas.com schrieb am 04.09.2019 um 03:40 in Nachricht
120f8d33-171a-3712-9f13-473fb55ea09e@symas.com:
Ulrich Windl wrote:
Michael Ströder michael@stroeder.com schrieb am 29.08.2019 um 16:34
in
Nachricht 37c75ce9-b21e-9380-9f71-72c40086b01e@stroeder.com:
On 8/29/19 8:32 AM, Ulrich Windl wrote:
> Quanah Gibson-Mount quanah@symas.com schrieb am 28.08.2019 um 15:56
in
Nachricht <F0468E4D7DD097415B5FC5C1@[192.168.1.144]>:
‑‑On Wednesday, August 28, 2019 11:02 AM +0200 Ulrich Windl <Ulrich.Windl@rz.uni‑regensburg.de> wrote:
After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted: slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted. [..] The schema knows in olcAttributeTypes (olcSchemaConfig): ( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE‑VALUE NO‑USER‑MODIFICATION USAGE dSAOperation )
What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software
issue
in slapd?
I've seen this when an attribute is introduced into the cn=config
database
that's not part of the built‑in slapd schema. It can be harmless in
that
case.
I grepped for the attribute in external schema files, but didn't find
it.
As
I
found it when querying slapd, I conclude that the definition shown above
must
be build into slapd.
Attribute type description 'auditContext' and all other schema definitions for accesslog overlay are defined in C code of slapo-accesslog. If you don't load slapo-accesslog then you normally don't see the schema.
I don't know what inconsistent content your cn=config has though.
Still I don't quite understand it: It seems the attribute is also in the config database (dn: cn=schema,cn=config), so why is it unknown when slapd starts? It cannot be the reason that the schema is provided by an overlay.
That
would apply when starting the first time only, maybe (when the schema
database
isn't populated yet by the overlay).
http://www.openldap.org/doc/admin24/slapdconf2.html
Section 5.2.3
The contents of the file corresponding to cn=schema are always ignored, and
the actual runtime contents of the cn=schema entry are always the actual hardcoded schema in the slapd process. As such, you should only trust the contents of an ldapsearch
of the cn=schema,cn=config entry, and always disregard whatever was stored in the file.
That was unexpected for me. Is there a technical reason for this design? I see some chicken/egg problem, but for a synced config setup this seems non-optimal.
Regards, Ulrich
openldap-technical@openldap.org
-
Howard Chu -
Michael Ströder -
Quanah Gibson-Mount -
Ulrich Windl