Attempting to modify the Certificate Server CRL object in iManager returns an error: -603

  • 7022754
  • 19-Mar-2018
  • 08-Aug-2018

Environment

Open Enterprise Server 2015 (OES 2015) Linux Support Pack 1
eDirectory 8.8 SP8 Patch 10
iManager 2.7 SP7 Patch 11

Situation

The issue is only seen in an OES 2015 SP1 environment.  Standalone versions are unaffected.

Whenever an attempt is made to modify the CRL object in iManager, such as the object's distribution points, an error "-603" (no such attribute) is returned.

Cause

The schema file the shipped with OES was not updated with the attribute ndspkiCRLExtendValidity.  Since this attribute is missing an error -603 (aka, attribute not found) is thrown on OES 2015 sp1.

Additional Information

This has been reported to Engineering.  The workaround is below:

1. Make a backup of the /opt/novell/eDirectory/lib64/nds-schema/pki30.sch file.

2. Modify the above file so that the attribute ndspkiCRLExtendValidity is defined and added to the optionals of the ndspkiCRLConfiguration class.  An example of the new entry is shown below:

2a. Defining the ndspkiCRLExtendValidity attribute:

"ndspkiCRLExtendValidity" ATTRIBUTE ::=
{
        Operation       ADD,
        SyntaxID        SYN_INTEGER,
        Flags           {DS_SINGLE_VALUED_ATTR, DS_SYNC_IMMEDIATE, DS_PUBLIC_READ},
        ASN1ObjID       {2 16 840 1 113719 1 48 4 1 41}
}


2b. Adding the new entry to the MayContain field of the ndspkiCRLConfiguration object class.

"ndspkiCRLConfiguration"  OBJECT-CLASS ::=
{
        Operation       ADD,
        SubClassOf      {"TOP"},
        Flags                   {DS_EFFECTIVE_CLASS, DS_CONTAINER_CLASS},
        ContainedBy {"ndspkiContainer"},
        NamedBy         {"CN"},
        MustContain {"CN"},
        MayContain      {
                        "ndspkiCRLFileName",
                                        "ndspkiDirectory",
                                        "ndspkiStatus",
                                        "ndspkiIssueTime",
                                        "ndspkiNextIssueTime",
                                        "ndspkiAttemptTime",
                                        "ndspkiTimeInterval",
                                        "ndspkiCRLMaxProcessingInterval",
                                        "ndspkiCRLNumber",
                                        "ndspkiDistributionPoints",
                                        "ndspkiDistributionPointDN",
                                        "ndspkiCADN",
                                                "ndspkiCRLProcessData",
                                                "NDSPKI:Public Key",
                                                "NDSPKI:Private Key",
                                                "NDSPKI:Public Key Certificate",
                                                "NDSPKI:Certificate Chain",
                                                "NDSPKI:Parent CA",
                                                "NDSPKI:Parent CA DN",
                                                "NDSPKI:Subject Name",
                                                "caCertificate",
                                                "Host Server",
                                                "ndspkiCRLType",
                                                "ndspkiCRLExtendValidity"
                                },

        ASN1ObjID       {2 16 840 1 113719 1 48 6 1 7}
}

3. Extend schema using the modified file.  The procedure for doing so using the Yast Tool can be found in the OES 2015 SP1 Installation Guide - Preparing to Install OES 2015 SP1 - Preparing eDirectory for OES 2015 SP1 - Section 2.5.4: Extending Schema.

https://www.novell.com/documentation/oes2015/inst_oes_lx/data/bx90vbt.html#bhpuhpi

NOTE: Schema should always be extended on a server holding a copy of the root partition.