[SAMBA4] Schema objectGUID causing a problem with OpenLDAP backend

Andrew Bartlett abartlet at samba.org
Tue Nov 17 23:18:39 MST 2009

On Tue, 2009-11-17 at 23:57 -0500, Endi Sukma Dewata wrote:
> Andrew,
> Thanks for merging my patches. I'm trying to test the latest code and found
> a problem with OpenLDAP backend.
> Please take a look at this revision:
> http://gitweb.samba.org/?p=samba.git;a=commit;h=0238147a855c65ea0a81b0a945ae8ffd9b260c75
> Here a random objectGUID is generated for each schema record. This attribute
> will be mapped into entryUUID by the schema mapping. When it's added into
> OpenLDAP it will be rejected with this error:
> Traceback (most recent call last):
>   File "./setup/provision", line 213, in <module>
>     nosync=opts.nosync,ldap_dryrun_mode=opts.ldap_dryrun_mode)
>   File "bin/python/samba/provision.py", line 1298, in provision
>     dom_for_fun_level=dom_for_fun_level)
>   File "bin/python/samba/provision.py", line 1009, in setup_samdb
>     samdb.add_ldif(schema.schema_data, controls=["relax:0"])
>   File "bin/python/samba/__init__.py", line 251, in add_ldif
>     self.add(msg,controls)
> _ldb.LdbError: (19, 'LDAP error 19 LDAP_CONSTRAINT_VIOLATION -  <entryUUID: no user modification allowed> <>')
> How should this be fixed? The problem doesn't happen with FDS backend.

We now choose the objectGUID for the schema elements.  I had hoped that
the use of the 'relax' control would cause OpenLDAP to accept us
choosing the GUIDs, but apparently not. 

Howard:  We need to choose the objectGUID for certain records.  How do
we make OpenLDAP accept that?

We don't strictly need this against OpenLDAP, but it's going to be be
pain to special case this. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091118/631f45af/attachment.pgp>

More information about the samba-technical mailing list