12.12. Using Syntax Validation

With syntax validation, the Directory Server checks that the value of an attribute follows the rules of the syntax given in the definition for that attribute. For example, syntax validation will confirm that a new telephoneNumber attribute actually has a valid telephone number for its value.

Important

Red Hat recommends not to disable the syntax validation.

12.12.1. About Syntax Validation

As with schema checking, validation reviews any directory modification and rejects changes that violate the syntax. Additional settings can be optionally configured so that syntax validation can log warning messages about syntax violations and then either reject the modification or allow the modification process to succeed.
This feature validates all attribute syntaxes, with the exception of binary syntaxes (which cannot be verified) and non-standard syntaxes, which do not have a defined required format. The syntaxes are validated against RFC 4514.

12.12.2. Syntax Validation and Other Directory Server Operations

Syntax validation is mainly relevant for standard LDAP operations like creating entries (add) or editing attributes (modify). Validating attribute syntax can impact other Directory Server operations, however.
Database Encryption

For normal LDAP operations, an attribute is encrypted just before the value is written to the database. This means That encryption occurs after the attribute syntax is validated.

Encrypted databases (as described in Chapter 10, Configuring Attribute Encryption) can be exported and imported. Normally, it is strongly recommended that these export and import operations are done with the -E flag with db2ldif and ldif2db, which allows syntax validation to occur just fine for the import operation. However, if the encrypted database is exported without using the -E flag (which is not supported), then an LDIF with encrypted values is created. When this LDIF is then imported, the encrypted attributes cannot be validated, a warning is logged, and attribute validation is skipped in the imported entry.
Synchronization

There may be differences in the allowed or enforced syntaxes for attributes in Windows Active Directory entries and Red Hat Directory Server entries. In that case, the Active Directory values could not be properly synchronized over because syntax validation enforces the RFC standards in the Directory Server entries.

Replication

If the Directory Server 11 instance is a supplier which replicates its changes to a consumer, then there is no issue with using syntax validation. However, if the supplier in replication is an older version of Directory Server or has syntax validation disabled, then syntax validation should not be used on the consumer because the Directory Server 11 consumer may reject attribute values that the master allows.

12.12.2.1. Turning Syntax Validation On and Off Using the Command Line

To turn syntax validation on and off, set the value of the nsslapd-syntaxcheck parameter. For example to disable syntax validation:
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-syntaxcheck=off
Successfully replaced "nsslapd-syntaxcheck"
For details about the nsslapd-syntaxcheck parameter, see the description of the parameter in the Red Hat Directory Server Configuration, Command, and File Reference.

12.12.2.2. Turning Syntax Validation On and Off Using the Web Console

To enable or disable syntax validation using the web console:
  1. Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
  2. Select the instance.
  3. Open the Server Settings, and select the Server Settings entry.
  4. Open the Advanced Settings tab.
  5. To enable attribute syntax checking, select the Enable Attribute Syntax Checking check box. To disable the feature, clear the check box.
  6. Click Save.

12.12.3. Enabling or Disabling Strict Syntax Validation for DNs

When syntax validation is enabled, distinguished names (DN) are validated as described in section 3 of RFC 4514. DN syntax validation is enabled separately because the strictness of later standards can invalidate older DNs that have a different syntax, and therefore directory trees.

Note

If strict DN validation is enabled and a DN value does not conform to the required syntax, then the operation fails with the LDAP result code 34, INVALID_DN_SYNTAX.

12.12.3.1. Enabling or Disabling Strict Syntax Validation for DNs Using the Command Line

To turn strict syntax validation for DNs on and off, set the value of the nsslapd-dn-validate-strict parameter. For example to disable strict syntax validation for DNs::
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-dn-validate-strict=off
Successfully replaced "nsslapd-dn-validate-strict"
For details about the nsslapd-syntaxcheck parameter, see the description of the parameter in the Red Hat Directory Server Configuration, Command, and File Reference.

12.12.3.2. Enabling or Disabling Strict Syntax Validation for DNs Using the Web Console

To enable or disable strict syntax validation for DNs using the web console:
  1. Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
  2. Select the instance.
  3. Open the Server Settings, and select the Server Settings entry.
  4. Open the Advanced Settings tab.
  5. Select or unselect the Strict DN Syntax Validation option depending on whether you want to enable or disable the feature.
  6. Click Save.

12.12.4. Enabling Syntax Validation Logging

By default, syntax validation rejects any add or modify operations where an attribute value violates the required syntax. However, the violation itself is not recorded to the errors log by default. The nsslapd-syntaxlogging attribute enables error logging for any syntax violations.

Note

Syntax violations discovered by the syntax validation script and task are logged in the Directory Server error log.
If both the nsslapd-syntaxlogging and nsslapd-syntaxcheck parameter are enabled, any invalid attribute modification is rejected and the message written to the log. If nsslapd-syntaxlogging is enabled but nsslapd-syntaxcheck is disabled, then the operation is allowed to succeed, but the warning message is still written to the error log.

12.12.4.1. Enabling Syntax Validation Logging Using the Command Line

To enable syntax validation logging, set the value of the nsslapd-syntaxlogging parameter to on.
# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-syntaxlogging=on
Successfully replaced "nsslapd-syntaxlogging"
For details about the nsslapd-syntaxlogging parameter, see the description of the parameter in the Red Hat Directory Server Configuration, Command, and File Reference.

12.12.4.2. Enabling Syntax Validation Logging Using the Web Console

To enable validation logging using the web console:
  1. Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
  2. Select the instance.
  3. Open the Server Settings, and select the Server Settings entry.
  4. Open the Advanced Settings tab.
  5. Select the Enable Attribute Syntax Logging option.
  6. Click Save.

12.12.5. Validating the Syntax of Existing Attribute Values

In certain situations, you might want to manually validate the syntax of existing values. For example:
Directory Server logs results of syntax validation tasks to the /var/log/dirsrv/slapd-instance_name/errors file. For example:
  • If all verified values are valid:
    [28/Jun/2017:12:52:43.669867966 +0200] - ERR - syntax-plugin - syntax_validate_task_thread - Starting (base: "dc=example,dc=com", filter: "(objectclass=*)") ...
    [28/Jun/2017:12:52:43.696850129 +0200] - ERR - syntax-plugin - syntax_validate_task_thread - Complete.  Found 0 invalid entries.
  • If invalid entries were found:
    [28/Jun/2017:12:54:05.736087520 +0200] - ERR - syntax-plugin - syntax_validate_task_thread - Starting (base: "dc=example,dc=com", filter: "(objectclass=*)") ...
    [28/Jun/2017:12:54:05.754195607 +0200] - ERR - syntax-plugin - syntax_validate_task_callback - Entry "cn=user,ou=People,dc=example,dc=com" violates syntax.
    description: value #0 invalid per syntax
    [28/Jun/2017:12:54:05.759905671 +0200] - ERR - syntax-plugin - syntax_validate_task_thread - Complete.  Found 1 invalid entries.

    Note

    The syntax validation task identifies only syntax violations. You must fix incorrect values manually.

12.12.5.1. Creating a Syntax Validation Task Using the dsconf schema validate-syntax Command

Use the dsconf schema validate-syntax command to create a syntax validation task. For example, to create a task that validates the syntax of all values in the ou=People,dc=example,dc=com sub-tree which match the (objectclass=inetorgperson) filter, enter:
# dsconf -D "cn=Directory Manager" ldap://server.example.com schema validate-syntax -f '(objectclass=inetorgperson)' ou=People,dc=example,dc=com

12.12.5.2. Creating a Syntax Validation Task Using a cn=tasks Entry

The cn=tasks,cn=config entry in the Directory Server configuration is a container entry for temporary entries the server uses to manage tasks. To initiate a syntax validation operation, create a task in the cn=syntax validate,cn=tasks,cn=config entry.
For example, to create a task that validates the syntax of all values in the ou=People,dc=example,dc=com sub-tree which match the (objectclass=inetorgperson) filter:
# ldapadd -D "cn=Directory Manager" -W -p 389 -h server.example.com -x

dn: cn=example_syntax_validate,cn=syntax validate,cn=tasks,cn=config
objectclass: extensibleObject
cn: cn=example_syntax_validate
basedn: ou=People,dc=example,dc=com
filter: (objectclass=inetorgperson)
When the task is completed, the entry is removed from the directory configuration.
For further details, about the cn=syntax validate,cn=tasks,cn=config entry, see the cn=schema reload task section in the Red Hat Directory Server Configuration, Command, and File Reference.