Thursday, June 26, 2014

Re: [389-users] Removing entries with invalid DN syntax

Hi,
This works for me:
more inv.txt

dn: ou=ny\<group\>mmm,dc=redhat,dc=com
changetype: add
objectclass: organizationalunit

 ldapmodify -x -h localhost -p 1390 -D "cn=directory manager" -w secret12 -f inv.txt
adding new entry "ou=ny\<group\>mmm,dc=redhat,dc=com"

[ludwig@elkris ~]$ ldapdelete -x -h localhost -p 1390 -D "cn=directory manager" -w secret12
ou=ny\<group\>mmm,dc=redhat,dc=com


[26/Jun/2014:16:53:26 +0200] conn=9 op=1 ADD dn="ou=ny\3Cgroup\3Emmm,dc=redhat,dc=com"
[26/Jun/2014:16:53:27 +0200] conn=9 op=1 RESULT err=0 tag=105 nentries=0 etime=1
[
[26/Jun/2014:16:54:23 +0200] conn=10 op=1 DEL dn="ou=ny\3Cgroup\3Emmm,dc=redhat,dc=com"
[26/Jun/2014:16:54:26 +0200] conn=10 op=1 RESULT err=0 tag=107 nentries=0 etime=3

On 06/26/2014 04:21 PM, Audun Røe wrote:
Rich, thanks for the suggestions. 

I tested setting both nsslapd-dn-validate-strict and nsslapd-syntaxcheck to off, but no luck. Finally had a go at disabling "cn=Distinguished Name Syntax,cn=plugins,cn=config" entirely (nsslapd-pluginEnabled: off) but the server wouldn't start at all with this gone. Can't see any other attributes in dse.ldif that seem to apply. 

-Audun


On Thu, Jun 26, 2014 at 4:01 PM, Rich Megginson <rmeggins@redhat.com> wrote:
On 06/26/2014 07:59 AM, Rich Megginson wrote:
On 06/26/2014 07:50 AM, Audun Røe wrote:
Hello,

I'm trying to delete some problematic entries from our 389 directory. The entry DNs contain < and > (probably found their way into the directory years ago). This causes problems with JNDI where DNs from search results are fed directly back into more searches because these particular DNs are somehow returned in in escaped form. E.g. ou=my<problematic>entry,dc=example,dc=com becomes ou=my\<problematic\>entry,dc=example,dc=com, causing error 32. I'm not sure if it's the directory server or JNDI adding the escaping, as ldapsearch from the command line doesn't seem to behave this way, but it doesn't really matter: I want to remove the entries and get rid of the issue. Unfortunately, I'm unable to: 

$ ldapdelete -D "cn=directory manager" -WxH "ldap://example.com:389" "ou=my<problematic>entry,dc=example,dc=com"
Enter LDAP Password: 
ldap_delete: Invalid DN syntax (34)
additional info: DN value invalid per syntax

I've also tried deleting through Apache Directory Studio, error 34 there as well. 

So, any ideas on how to get rid of them? The only thing I can think of is to db2ldif the entire directory, manually excise the entries from the LDIF file and then re-import. But I'd rather not take this step unless there's no other way.

You could try disabling syntax checking - nsslapd-syntaxcheck

Sorry - disable DN syntax checking - I believe that may be different than regular syntax checking

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--  389 users mailing list  389-users@lists.fedoraproject.org  https://admin.fedoraproject.org/mailman/listinfo/389-users

No comments:

Post a Comment