DS doesn't load sudo and host attribute schemas - just silently ignores them

itonohito at gmail.com (Itonohito) · Sat, 19 Apr 2008 14:03:17 +0300

Hello!

I've installed Fedora DS 1.1 at Fedora Core 7. Configured and running.
Now I'm trying to add two following schemas to it:

1. Schema, adding host attribute to restrict login access for users per host basis:
#---------------------------------------------------------------------
#
dn: cn=schema
#
#---------------------------------------------------------------------
#
# objectClasses: ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' DESC 
'Auxiliary object class for adding authorizedService attribute' SUP top 
AUXILIARY MAY authorizedService )
#
objectClasses: (
  1.3.6.1.4.1.5322.17.1.1
  NAME 'authorizedServiceObject'
  DESC 'Auxiliary object class for adding authorizedService attribute'
  SUP top
  AUXILIARY
  MAY authorizedService
  )
#
#---------------------------------------------------------------------
#
# objectClasses: ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' DESC 'Auxiliary 
object class for adding host attribute' SUP top AUXILIARY MAY host )
#
objectClasses: (
  1.3.6.1.4.1.5322.17.1.2
  NAME 'hostObject'
  DESC 'Auxiliary object class for adding host attribute'
  SUP top
  AUXILIARY
  MAY host
  )
#
#---------------------------------------------------------------------
#
# attributeTypes: ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA 
GSS-API authorized service name' EQUALITY caseIgnoreMatch SYNTAX 
1.3.6.1.4.1.1466.115.121.1.15{256} )
#
attributeTypes: (
  1.3.6.1.4.1.5322.17.2.1
  NAME 'authorizedService'
  DESC 'IANA GSS-API authorized service name'
  EQUALITY caseIgnoreMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256}
  )

2. Schema for sudo support:
#---------------------------------------------------------------------
#
dn: cn=schema
#
#---------------------------------------------------------------------
#
# attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who 
may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
attributeTypes: (
  1.3.6.1.4.1.15953.9.1.1
  NAME 'sudoUser'
  DESC 'User(s) who may run sudo'
  EQUALITY caseExactIA5Match
  SUBSTR caseExactIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  )
#
#---------------------------------------------------------------------
#
# attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who 
may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
attributeTypes: (
  1.3.6.1.4.1.15953.9.1.2
  NAME 'sudoHost'
  DESC 'Host(s) who may run sudo'
  EQUALITY caseExactIA5Match
  SUBSTR caseExactIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  )
#
#---------------------------------------------------------------------
#
# attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) 
to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 
1.3.6.1.4.1.1466.115.121.1.26 )
#
attributeTypes: (
  1.3.6.1.4.1.15953.9.1.3
  NAME 'sudoCommand'
  DESC 'Command(s) to be executed by sudo'
  EQUALITY caseExactIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  )
#
#---------------------------------------------------------------------
#
# attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) 
impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 
1.3.6.1.4.1.1466.115.121.1.26 )
#
attributeTypes: (
  1.3.6.1.4.1.15953.9.1.4
  NAME 'sudoRunAs'
  DESC 'User(s) impersonated by sudo'
  EQUALITY caseExactIA5Match
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
  )

Both are created by RFC2252 compliant convertor ol2rhds.pl, found in Fedora DS 
Wiki site.

I placed that two schemas as files 70host.ldif and 71sudoers.ldif into schema 
subdirectory of dirsrv (to be exact - I placed three schemas, but third one - 
for dhcp, works fine). And restarted server. But server doesn't load them, looks 
like it even doesn't see them. They have ownership and permissions exactly the 
same as all other schema files in that directory though. Here's full list of 
schema files:

00core.ldif
01common.ldif
05rfc2247.ldif
05rfc2927.ldif
10presence.ldif
10rfc2307.ldif
20subscriber.ldif
25java-object.ldif
28pilot.ldif
30ns-common.ldif
50ns-admin.ldif
50ns-certificate.ldif
50ns-directory.ldif
50ns-mail.ldif
50ns-value.ldif
50ns-web.ldif
60pam-plugin.ldif
64ldapdhcp.ldif
70host.ldif
71sudoers.ldif
99user.ldif

And I see no errors in error-log. I turned on output of all debug data into log 
file via Management Console and restarted server again - there are huge amount 
of debug info in the error-log - but nothing about that two schemas...
Here goes part of log, where server loads schema files:

[19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck
[19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema"
[19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry "cn=schema" in 
file /etc/dirsrv/slapd-ldap1/schema/60pam-plugin.ldif
[19/Apr/2008:06:51:43 -0400] - slapi_str2entry: flags=0xc0, entry="#
#***********************************************..."
[19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck
[19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema"
[19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry "cn=schema" in 
file /etc/dirsrv/slapd-ldap1/schema/64ldapdhcp.ldif
[19/Apr/2008:06:51:43 -0400] - slapi_str2entry: flags=0xc0, entry="dn: cn=schema
objectClass: top
objectClass: ldapSu..."
[19/Apr/2008:06:51:43 -0400] - => str2entry_dupcheck
[19/Apr/2008:06:51:43 -0400] - <= str2entry_dupcheck 0x6cb0a0 "cn=schema"
[19/Apr/2008:06:51:43 -0400] - dse_read_one_file processing entry "cn=schema" in 
file /etc/dirsrv/slapd-ldap1/schema/99user.ldif (primary file)

Can somebody give me any clue? What I missed, what I did wrong?...

-- 

Yours truly,
Oleg