12.12. Using Syntax Validation
With syntax validation, the Directory Server checks that the value of an attribute follows the rules of the syntax given in the definition for that attribute. For example, syntax validation will confirm that a new
telephoneNumber attribute actually has a valid telephone number for its value.
Important
Red Hat recommends not to disable the syntax validation.
12.12.1. About Syntax Validation
As with schema checking, validation reviews any directory modification and rejects changes that violate the syntax. Additional settings can be optionally configured so that syntax validation can log warning messages about syntax violations and then either reject the modification or allow the modification process to succeed.
This feature validates all attribute syntaxes, with the exception of binary syntaxes (which cannot be verified) and non-standard syntaxes, which do not have a defined required format. The syntaxes are validated against RFC 4514.
12.12.2. Syntax Validation and Other Directory Server Operations
Syntax validation is mainly relevant for standard LDAP operations like creating entries (add) or editing attributes (modify). Validating attribute syntax can impact other Directory Server operations, however.
Database Encryption
For normal LDAP operations, an attribute is encrypted just before the value is written to the database. This means That encryption occurs after the attribute syntax is validated.
Encrypted databases (as described in Chapter 10, Configuring Attribute Encryption) can be exported and imported. Normally, it is strongly recommended that these export and import operations are done with the
-E flag with db2ldif and ldif2db, which allows syntax validation to occur just fine for the import operation. However, if the encrypted database is exported without using the -E flag (which is not supported), then an LDIF with encrypted values is created. When this LDIF is then imported, the encrypted attributes cannot be validated, a warning is logged, and attribute validation is skipped in the imported entry.
Synchronization
There may be differences in the allowed or enforced syntaxes for attributes in Windows Active Directory entries and Red Hat Directory Server entries. In that case, the Active Directory values could not be properly synchronized over because syntax validation enforces the RFC standards in the Directory Server entries.
Replication
If the Directory Server 11 instance is a supplier which replicates its changes to a consumer, then there is no issue with using syntax validation. However, if the supplier in replication is an older version of Directory Server or has syntax validation disabled, then syntax validation should not be used on the consumer because the Directory Server 11 consumer may reject attribute values that the supplier allows.
12.12.2.1. Turning Syntax Validation On and Off Using the Command Line
To turn syntax validation on and off, set the value of the
nsslapd-syntaxcheck parameter. For example to disable syntax validation:
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-syntaxcheck=off Successfully replaced "nsslapd-syntaxcheck"
For details about the
nsslapd-syntaxcheck parameter, see the description of the parameter in the Red Hat Directory Server Configuration, Command, and File Reference.
12.12.2.2. Turning Syntax Validation On and Off Using the Web Console
To enable or disable syntax validation using the web console:
- Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
- Select the instance.
- Open the , and select the entry.
- Open the Advanced Settings tab.
- To enable attribute syntax checking, select the Enable Attribute Syntax Checking check box. To disable the feature, clear the check box.
- Click .
12.12.3. Enabling or Disabling Strict Syntax Validation for DNs
When syntax validation is enabled, distinguished names (DN) are validated as described in section 3 of RFC 4514. DN syntax validation is enabled separately because the strictness of later standards can invalidate older DNs that have a different syntax, and therefore directory trees.
Note
If strict DN validation is enabled and a DN value does not conform to the required syntax, then the operation fails with the LDAP result code
34, INVALID_DN_SYNTAX.
12.12.3.1. Enabling or Disabling Strict Syntax Validation for DNs Using the Command Line
To turn strict syntax validation for DNs on and off, set the value of the
nsslapd-dn-validate-strict parameter. For example to disable strict syntax validation for DNs::
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-dn-validate-strict=off Successfully replaced "nsslapd-dn-validate-strict"
For details about the
nsslapd-syntaxcheck parameter, see the description of the parameter in the Red Hat Directory Server Configuration, Command, and File Reference.
12.12.3.2. Enabling or Disabling Strict Syntax Validation for DNs Using the Web Console
To enable or disable strict syntax validation for DNs using the web console:
- Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
- Select the instance.
- Open the , and select the entry.
- Open the Advanced Settings tab.
- Select or unselect the Strict DN Syntax Validation option depending on whether you want to enable or disable the feature.
- Click .
12.12.4. Enabling Syntax Validation Logging
By default, syntax validation rejects any add or modify operations where an attribute value violates the required syntax. However, the violation itself is not recorded to the errors log by default. The
nsslapd-syntaxlogging attribute enables error logging for any syntax violations.
Note
Syntax violations discovered by the syntax validation script and task are logged in the Directory Server error log.
If both the
nsslapd-syntaxlogging and nsslapd-syntaxcheck parameter are enabled, any invalid attribute modification is rejected and the message written to the log. If nsslapd-syntaxlogging is enabled but nsslapd-syntaxcheck is disabled, then the operation is allowed to succeed, but the warning message is still written to the error log.
12.12.4.1. Enabling Syntax Validation Logging Using the Command Line
To enable syntax validation logging, set the value of the
nsslapd-syntaxlogging parameter to on.
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-syntaxlogging=on Successfully replaced "nsslapd-syntaxlogging"
For details about the
nsslapd-syntaxlogging parameter, see the description of the parameter in the Red Hat Directory Server Configuration, Command, and File Reference.
12.12.4.2. Enabling Syntax Validation Logging Using the Web Console
To enable validation logging using the web console:
- Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
- Select the instance.
- Open the , and select the entry.
- Open the Advanced Settings tab.
- Select the Enable Attribute Syntax Logging option.
- Click .
12.12.5. Validating the Syntax of Existing Attribute Values
In certain situations, you might want to manually validate the syntax of existing values. For example:
- If syntax validation is disabled in the
nsslapd-syntaxcheckparameter. For details, see Section 12.12.2, “Syntax Validation and Other Directory Server Operations”.Important
Red Hat recommends not disabling syntax validation. - If you migrate data from a server without or disabled syntax validation.
Directory Server logs results of syntax validation tasks to the
/var/log/dirsrv/slapd-instance_name/errors file. For example:
- If all verified values are valid:
[28/Jun/2017:12:52:43.669867966 +0200] - ERR - syntax-plugin - syntax_validate_task_thread - Starting (base: "dc=example,dc=com", filter: "(objectclass=*)") ... [28/Jun/2017:12:52:43.696850129 +0200] - ERR - syntax-plugin - syntax_validate_task_thread - Complete. Found 0 invalid entries.
- If invalid entries were found:
[28/Jun/2017:12:54:05.736087520 +0200] - ERR - syntax-plugin - syntax_validate_task_thread - Starting (base: "dc=example,dc=com", filter: "(objectclass=*)") ... [28/Jun/2017:12:54:05.754195607 +0200] - ERR - syntax-plugin - syntax_validate_task_callback - Entry "cn=user,ou=People,dc=example,dc=com" violates syntax. description: value #0 invalid per syntax [28/Jun/2017:12:54:05.759905671 +0200] - ERR - syntax-plugin - syntax_validate_task_thread - Complete. Found 1 invalid entries.
Note
The syntax validation task identifies only syntax violations. You must fix incorrect values manually.
12.12.5.1. Creating a Syntax Validation Task Using the dsconf schema validate-syntax Command
Use the
dsconf schema validate-syntax command to create a syntax validation task. For example, to create a task that validates the syntax of all values in the ou=People,dc=example,dc=com sub-tree which match the (objectclass=inetorgperson) filter, enter:
# dsconf -D "cn=Directory Manager" ldap://server.example.com schema validate-syntax -f '(objectclass=inetorgperson)' ou=People,dc=example,dc=com
12.12.5.2. Creating a Syntax Validation Task Using a cn=tasks Entry
The
cn=tasks,cn=config entry in the Directory Server configuration is a container entry for temporary entries the server uses to manage tasks. To initiate a syntax validation operation, create a task in the cn=syntax validate,cn=tasks,cn=config entry.
For example, to create a task that validates the syntax of all values in the
ou=People,dc=example,dc=com sub-tree which match the (objectclass=inetorgperson) filter:
# ldapadd -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=example_syntax_validate,cn=syntax validate,cn=tasks,cn=config objectclass: extensibleObject cn: cn=example_syntax_validate basedn: ou=People,dc=example,dc=com filter: (objectclass=inetorgperson)
When the task is completed, the entry is removed from the directory configuration.
For further details, about the
cn=syntax validate,cn=tasks,cn=config entry, see the cn=schema reload task section in the Red Hat Directory Server Configuration, Command, and File Reference.
