[SAMBA4] Schema objectGUID causing a problem with OpenLDAP backend

Howard Chu hyc at symas.com
Tue Nov 17 23:31:59 MST 2009

Andrew Bartlett wrote:
> On Tue, 2009-11-17 at 23:57 -0500, Endi Sukma Dewata wrote:
>> Andrew,
>> Thanks for merging my patches. I'm trying to test the latest code and found
>> a problem with OpenLDAP backend.
>> Please take a look at this revision:
>> http://gitweb.samba.org/?p=samba.git;a=commit;h=0238147a855c65ea0a81b0a945ae8ffd9b260c75
>> Here a random objectGUID is generated for each schema record. This attribute
>> will be mapped into entryUUID by the schema mapping. When it's added into
>> OpenLDAP it will be rejected with this error:
>> Traceback (most recent call last):
>>   File "./setup/provision", line 213, in <module>
>>     nosync=opts.nosync,ldap_dryrun_mode=opts.ldap_dryrun_mode)
>>   File "bin/python/samba/provision.py", line 1298, in provision
>>     dom_for_fun_level=dom_for_fun_level)
>>   File "bin/python/samba/provision.py", line 1009, in setup_samdb
>>     samdb.add_ldif(schema.schema_data, controls=["relax:0"])
>>   File "bin/python/samba/__init__.py", line 251, in add_ldif
>>     self.add(msg,controls)
>> _ldb.LdbError: (19, 'LDAP error 19 LDAP_CONSTRAINT_VIOLATION -  <entryUUID: no user modification allowed> <>')
>> How should this be fixed? The problem doesn't happen with FDS backend.
> We now choose the objectGUID for the schema elements.  I had hoped that
> the use of the 'relax' control would cause OpenLDAP to accept us
> choosing the GUIDs, but apparently not. 
> Howard:  We need to choose the objectGUID for certain records.  How do
> we make OpenLDAP accept that?
> We don't strictly need this against OpenLDAP, but it's going to be be
> pain to special case this.

The relax control is the right answer, but the fact you got this particular
error message indicates that you didn't attach the relax control to this request.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

More information about the samba-technical mailing list