HP-UX Directory Server Administrator Guide HP-UX Directory Server Version 8.1 (5900-3098, May 2013)
Validation is skipped for the following binary content:
• Fax
• OctetString
• JPEG
Configuration
A new configuration attribute named nsslapd-syntaxcheck is added to the cn=config entry.
The valid values for the entry are on and off. By default, the value is set to off. To enable syntax
checking, use ldapmodify to set nsslapd-syntaxcheck to on.
ldapmodify -D "cn=directory manager" -w secret \
-h server.example.com -p 389
dn: cn=config
changetype: modify
replace: nsslapd-syntaxcheck
nsslapd-syntaxcheck: on
HP recommends you to enable syntax checking for newly created instances, as this prevents data
that violates the standards from being added to the database.
The configuration also has a warning mode that checks the syntax, but will never reject an operation
with an invalid syntax error. When an invalid syntax error occurs, it logs a message in the errors
log listing the entry DN, attribute type, and index of the value that triggered the violation. To set
the warning mode, the attribute nsslapd-syntaxlogging must be added to cn=config entry
with a value on. This setting is off by default.
ldapmodify -D "cn=directory manager" -w secret \
-h server.example.com -p 389
dn: cn=config
changetype: modify
replace: nsslapd-syntaxlogging
nsslapd-syntaxlogging: on
When nsslapd-syntaxlogging is set in addition to nsslapd-syntaxcheck, It logs a
warning and rejects the operation.
Auditing of Existing Data
Before turning on the syntax checking, a task can be launched with search base and filter as
arguments to check the existing database to see if there are any syntax violations. Each matching
entry is verified to check if its attribute values meet the syntax requirements. The entry, attribute,
and index of the value are reported for each violation. This information is also returned in the
nsTaskLog attribute in the task entry and the errors log.
ldapmodify -a -D "cn=directory manager" -w secret -h server.example.com -p 389
dn: cn=example,cn=syntax validation,cn=tasks,cn=config
changetype: add
objectclass: extensibleObject
cn:example
basedn: ou=People,dc=example,dc=com
filter: "(objectclass=inetorgperson)"
Alternatively, use syntax-validate.pl script to launch the task:
/opt/dirsrv/slapd_instance_name/syntax-validate.pl \
-D "cn=directory manager" -w secret –b "dc=example,dc=com" -f "(objectclass=inetorgperson)"
Strict DN Syntax Enforcement
The DN syntax validation has become more restrictive and the current rules are relatively strict.
Strict adherence to the rules defined in RFC 4514, section 3, invalidates old-style DNs, and therefore
10.9 Syntax Validation Checking 447