6 Replies Latest reply: Jul 28, 2012 6:54 AM by bilias RSS

    hide entryid, parentid and schema violation

    bilias
      Hi,

      Somehow my server started showing on me the values of entryid and parentid.
      These used to be operational attributes but not anymore, because they are shown as normal attributes.

      This causes the following problem. When I try to add a new objectClass to a user I have a schema violation:

      [06/Jul/2012:18:28:56 +0300] - ERROR<5897> - Schema - conn=-1 op=-1 msgId=-1 - User error: Entry "uid=user,ou=people,dc=example,dc=com", attribute "parentid" is not allowed

      If I disable schema checking then I can add the objectClass or delete it.

      In my dse.ldif I do have
      nsslapd-exclude-from-export: entrydn entryid dncomp parentid numSubordinates

      #dsadm -V
      [dsadm]
      dsadm : 11.1.1.5.0 B2011.0517.2350 ZIP

      Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.


      [slapd 32-bit]
      Oracle Corporation.
      Sun-Directory-Server/11.1.1.5.0 B2011.0517.2350 32-bit
      ns-slapd : 11.1.1.5.0 B2011.0517.2350 ZIP
      Slapd Library : 11.1.1.5.0 B2011.0517.2350
      Front-End Library : 11.1.1.5.0 B2011.0517.2350

      regards,

      Giannis
        • 1. Re: hide entryid, parentid and schema violation
          bilias
          Hi,

          Any news on this?
          • 2. Re: hide entryid, parentid and schema violation
            802907
            Yeah, you can't include parentid in your entry to add. If you could, that would open up all sorts of problems. The issue seems to stem from your admin client attempting to insert a parentid. Parentid is one of a retrieved entry's attributes, though it's usually only available if requested by name. It's a perfectly acceptable behavior for a client to request the parentid in a search (and for the server to return it in a search result). If the admin client is automatically inserting the parentid in a subsequent ADD, this is bad behavior on the client's part.
            • 3. Re: hide entryid, parentid and schema violation
              bilias
              I think that's not the case at all.

              When I try to do a ldapmodify on a user which includes objeClass (add/delete) I have an objectClass violation:

              dn: uid=user,ou=mail,ou=People,dc=example,dc=com
              changetype: modify
              delete: sambaSID
              -
              delete: objectClass
              objectClass: sambaSamAccount
              -

              I get:
              [24/Jul/2012:14:07:13 +0300] - ERROR<5897> - Schema - conn=-1 op=-1 msgId=-1 - User error: Entry "uid=user,ou=mail,ou=People,dc=example,dc=com", attribute "parentid" is not allowed

              user has the followingo objectclasses:
              objectClass: person
              objectClass: organizationalPerson
              objectClass: inetOrgPerson
              objectClass: mailRecipient
              objectClass: top
              objectClass: eduPerson
              objectClass: posixAccount
              objectClass: ExampleComUser
              objectClass: sambaSamAccount

              However if I add objectClass: extensibleObject
              to the user then I can add/remove other objectClasses.

              Is something messed up with my schema?

              G
              • 4. Re: hide entryid, parentid and schema violation
                802907
                I understand the problem better now, thanks.

                ParentID certainly shouldn't be giving a schema violation, so yes I would suspect something is wrong with the schema. I'm not even sure if parentid is defined in the schema or is internal to the server. I would guess it's defined in the core schema. Can you grep for parentid in your schema directory on a functioning server vs the non-functioning server and see if there is a difference?
                • 5. Re: hide entryid, parentid and schema violation
                  bilias
                  Well all my servers in the replication domain/organization are 'polluted'.

                  Nevertheless in another organization (same ODSEE version) without this problem I get:

                  # cd config/schema
                  # grep -li parentid *
                  99user.ldif

                  attributeTypes: ( 2.16.840.1.113730.3.1.604 NAME 'parentid' DESC 'Sun ONE defi
                  ned attribute type' EQUALITY 2.5.13.2 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S
                  INGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN ( 'Sun-Di
                  rectory-Server/7.0' 'user defined' ) )

                  attributeTypes: ( 2.16.840.1.113730.3.1.605 NAME 'entryid' DESC 'Sun ONE defin
                  ed attribute type' EQUALITY 2.5.13.2 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI
                  NGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN ( 'Sun-Dir
                  ectory-Server/7.0' 'user defined' ) )


                  On the polluted server I have:

                  attributeTypes: ( 2.16.840.1.113730.3.1.604 NAME 'parentid' DESC 'Sun ONE defi
                  ned attribute type' EQUALITY 2.5.13.2 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S
                  INGLE-VALUE NO-USER-MODIFICATION X-ORIGIN 'user defined' )

                  attributeTypes: ( 2.16.840.1.113730.3.1.605 NAME 'entryid' DESC 'Sun ONE defin
                  ed attribute type' EQUALITY 2.5.13.2 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SI
                  NGLE-VALUE NO-USER-MODIFICATION X-ORIGIN 'user defined' )

                  So it seems it is missing 'USAGE directoryOperation'.

                  How do I add this without messing up my schema?

                  G
                  • 6. Re: hide entryid, parentid and schema violation
                    bilias
                    ok I modified by schema and restarted my server and problem seems to be solved:

                    dn: cn=schema
                    changetype: modify
                    delete: attributeTypes
                    attributeTypes: ( 2.16.840.1.113730.3.1.605 NAME 'entryid' DESC 'Sun ONE defin
                    ed attribute type' EQUALITY 2.5.13.2 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN
                    GLE-VALUE NO-USER-MODIFICATION X-ORIGIN 'user defined' )
                    -
                    add: attributeTypes
                    attributeTypes: ( 2.16.840.1.113730.3.1.605 NAME 'entryid' DESC 'Sun ONE defin
                    ed attribute type' EQUALITY 2.5.13.2 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SIN
                    GLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN 'user define
                    d' )
                    -