> Le 20 juil. 2015 à 17:17, Alexander Bokovoy <[email protected]> a écrit : > > On Mon, 20 Jul 2015, Alexandre Ellert wrote: >> >>> Can you please show output from >>> fgrep -r 'dc' /etc/dirsrv/slapd-INSTANCE/schema >> >> # fgrep -r 'dc' /etc/dirsrv/slapd-NUMEEZY-FR/schema > > This is original 'dc' definition: >> /etc/dirsrv/slapd-NUMEEZY-FR/schema/00core.ldif:attributeTypes: ( >> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) > > This is the offending one: >> /etc/dirsrv/slapd-NUMEEZY-FR/schema/99user.ldif:attributeTypes: ( >> 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D > >> In 00core.ldif, I have : >> attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) >> EQUALITY caseIgnoreIA5Match >> SUBSTR caseIgnoreIA5SubstringsMatch >> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 >> SINGLE-VALUE >> X-ORIGIN 'RFC 4519' >> X-DEPRECATED 'domaincomponent' ) > If you look into 99user.ldif, you'll see the wrong definition there. > > 99user.ldif accumulates definitions coming from replication or updates. > You can check other IPA masters, do they have 'dc' attribute defined in > a wrong way?
I have a second IPA master and here is the occurence of ‘ domaincomponent' in /etc/dirsrv/slapd-NUMEEZY-FR/schema : In 00core.ldif : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 4519' X-DEPRECATED 'domaincomponent’ ) In 99user.ldif : attributeTypes: ( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domaincomponent' ) D ESC 'Standard LDAP attribute type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgn oreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORI GIN ( 'RFC 2247' 'user defined' ) ) This two definition are exactly the same on both IPA masters. I don’t understand what is wrong in 99user.ldif ? How can I correct with the good definition ? > >> As far as I remember, the only modification I made was to disable >> read-only access without authentication. I don’t need any other >> special customization. > Something brought the wrong definition into your IPA masters. > May be someone tried to add support for some old application? Nobody else never have access read/write to the IPA servers. I’m the only admin. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
