"slapadd could not parse entry" & "ldap_add: Invalid syntax (21)" errors
by Yan Simkin
Hi,
I'm trying to import the LDIF file (attached), but both comands return an
error. The "slapadd" says there's a problem to parse and entry and the
"ldapadd" announces syntax problems. I've been fighting that for a whole
day, no success.
I attach hereto the LDIF file, the CONF file and both error outputs.
Any help will be greatly appreciated.
Thanks!
--
Regards,
Yan
14 years, 6 months
Re: "slapadd could not parse entry" & "ldap_add: Invalid syntax (21)" errors
by Yan Simkin
This is what I thought, but what schema defines "domain"?
Thanks for the help.
On Fri, Mar 6, 2009 at 6:00 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Friday, March 06, 2009 4:51 PM -0500 Yan Simkin <bushmills(a)gmail.com>
> wrote:
>
> Hi,
>>
>> I'm trying to import the LDIF file (attached), but both comands return an
>> error. The "slapadd" says there's a problem to parse and entry and the
>> "ldapadd" announces syntax problems. I've been fighting that for a whole
>> day, no success.
>>
>> I attach hereto the LDIF file, the CONF file and both error outputs.
>>
>> Any help will be greatly appreciated.
>>
>
> ldap_add: Invalid syntax (21)
> additional info: objectClass: value #2 invalid per syntax
>
> That means the 3rd objectClass value (as they are zero based) is not valid.
> Either you are missing the schema for it (i.e., you haven't loaded it), or
> it's not an objectClass. Fix your data.
>
> It would look like it doesn't like:
>
> objectClass: domain
>
> so you need to fix why it doesn't like that OC. Maybe you didn't load the
> schema that defines it.
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
14 years, 6 months
Re: set ACL specification/syntax
by Andrew Cobaugh
On Fri, Mar 6, 2009 at 4:45 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> Which ACL is "This ACL"?
access to dn.subtree="ou=group,dc=mydomain"
by set="this/cn & user/uid" write
> Have you turned on acl level debugging to see what exactly is occurring when
> you go to do operations?
Yes, and it is falling right past the above acl and hitting the
catchall for the top of the directory for * read.
> Also, what OpenLDAP release are you using?
Heh, OpenLDAP 2.4.11. Old I know, I've been meaning to go back to a
stable 2.3 for some time, but 2.4.x had certain fixes for the
translucent overlay that I needed, which I don't need anymore.
--andy
14 years, 6 months
Re: set ACL specification/syntax
by Andrew Cobaugh
On Fri, Mar 6, 2009 at 4:30 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> As documented, ACLs are evaluated in the order they are hit. So if you have
> a by * read at the top of your ACLs, then of course nothing after that will
> be evaluated.
This ACL is the first listed in the config file. In debug, it's also
the first that it reads from the config file.
--andy
14 years, 6 months
Re: set ACL specification/syntax
by Quanah Gibson-Mount
--On Friday, March 06, 2009 4:10 PM -0500 Andrew Cobaugh
<phalenor(a)gmail.com> wrote:
> Weird, this isn't matching:
>
> access to dn.children="ou=group,dc=mydoman"
> by set="this/cn & user/uid" write
>
> Instead, it's falling through to the "by * read" entry at the top of the
> tree.
>
> It doesn't even look like it's trying to match against that ACL, actually.
As documented, ACLs are evaluated in the order they are hit. So if you
have a by * read at the top of your ACLs, then of course nothing after that
will be evaluated.
I suggest you closely read slapd-access(5).
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
14 years, 6 months
Re: set ACL specification/syntax
by Quanah Gibson-Mount
--On Friday, March 06, 2009 4:04 PM -0500 Andrew Cobaugh
<phalenor(a)gmail.com> wrote:
> On Fri, Mar 6, 2009 at 3:57 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>
> wrote:
>> --On Friday, March 06, 2009 3:46 PM -0500 Andrew Cobaugh
>> <phalenor(a)gmail.com> wrote:
>>
>>> Hi all,
>>>
>>> I think the set clause should at least be based on something like,
>>> set="this/cn & user/uid" but with extra stuff in there to require a
>>> colon and one or more characters only.
>>
>> Add a second cn value to the entry that matches the uid. That way
>> this/cn would match. cn is multivalued afterall. ;)
>
> Hmm, not sure that would work, as there are already entries like that
> (everyone gets a group that matches their uid, which becomes their
> primary posix group).
>
> Let me try it and see if it breaks anything...
Please keep replies on the list.
If you set the cn value on every group they are supposed to be able to
write to, then they'll be able to write to any of those groups. I.e.,
"this/cn" is the group entry in question. I'm assuming you want them to be
able to write to any group they have control of. If you don't, then simply
remove the cn=uid value from the group.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
14 years, 6 months
set ACL specification/syntax
by Andrew Cobaugh
Hi all,
I'm trying to set up 'personal' groups with ACLs that allow my users
to directly create and modify their own personal group. For me,
personal groups are of the form
"cn=uid:groupname,ou=group,dc=mydomain"
So far I've had partial success. If the group already exists, the user
can modify that entry.
What I'm struggling with is how to allow authenticated users to create
entries of the form uid:foo under the group ou, i.e. grant write
access to the children of ou=group.
I *think* I can use "by set=<something>", but I haven't quite gotten
the grasp of it, and there are very few references to using 'set'
online (at least that I've found).
I was hoping someone on this list has either done something like this
before, or could point me in the right direction.
I think the set clause should at least be based on something like,
set="this/cn & user/uid" but with extra stuff in there to require a
colon and one or more characters only.
Ideas?
--andy
14 years, 6 months
uidNumber doesn't match after slapd-upgrade
by Wolfgang Hennerbichler
Hi,
Sorry if this question has been asked before (but I have looked
through the archives and didn't find anything). After upgrading from
debian etch to lenny, I'm running the slapd version 2.4.11-1. The
upgrade worked without any itches except for one thing - it seems I
can't search for the attribute uidNumber anymore.
I've had a look at my schema files but they didn't contain a
definition for uidNumber, so after reading I found out this is a
builtin attribute.
So here's what happens:
this works without problems:
ldapsearch -D cn=admin,dc=wogri,dc=at -b dc=wogri,dc=at -h
ldap.wogri.at '(&(uid=user))' -W -x
this results - amongst others in:
dn: uid=user,ou=People,o=myOrg,dc=wogri,dc=at
gidNumber: 100
uidNumber: 1000
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
gecos: Wolfgang Hennerbichler
uid: user
but this search, which should bring the same result doesn't work:
ldapsearch -D cn=admin,dc=wogri,dc=at -b dc=wogri,dc=at -h
ldap.wogri.at '(&(uidNumber=1000))' -W -x
# search result
search: 2
result: 0 Success
Using my LDAP-Browser I found out that the schema definition for
uidNumber looks like this:
OID: 1.3.6.1.1.1.1.0
Syntax: 1.3.6.1.4.1.1466.115.121.1.27
Equality: integerMatch
I don't quite get this (as I also don't see why it shouldn't work),
unfortunately this breaks more or less my whole setup, so I'd be very
thankful for an answer!
wogri
--
http://www.wogri.com
14 years, 6 months
New guy needs some help choosing an overlay
by Jonathan Knight
I'm a bit new to the openldap package - my experience really dates back
to the X500 QUIPU days in the early 90's so while I understand the
priciples, it's the details of the software package that are something
of a mystery.
We're implementing LDAP for a variety of applications and we're going to
use boolean attributes in the schema to determine whether a service
should be enabled or disabled for a particular user.
So, for example, we have an attribute of "kdiremail" which is true if
the user is allowed to use the email service and false if their not.
This works well with tools like dovecot because we can set up the search
filter to only authenticate users who have that attribute set to true.
However, some applications are born into an Active Directory world where
such things seem to be unknown.
I'm battling the Blackboard WebCT Vista product which allows me to
specify attributes to look up for the username, but does not allow me to
specifically define the search filter.
My plan is to use the rewrite/remap overlay to create a fake hierarchy
within our exisiting DIT where the search filter values are re-written
to include a check to see if kdirvle is true. So then any searches on
that DN will only return users who are allowed to use the VLE, I can
then point our WebCT service to that basedn.
I think this overlay will do the job I want, but I can see that there
are many overlays in the openldap package and I wanted to check with
someone more experienced that I am that the rewrite/remap overlay is the
right choice for this kind of job.
Jon.
14 years, 6 months
RE: uidNumber doesn't match after slapd-upgrade
by Carl Johnstone
> 1. 2.4.11 is quite old. I'd recommend to use a more recent release.
That's unfair when the openldap web site suggests it as current stable:
http://www.openldap.org/software/download/
Carl
--------------------------------------------------------
GMG Regional Digital is part of the Guardian Media Group plc.
CONFIDENTIALITY NOTICE. The information contained in this e-mail is intended only for michael(a)stroeder.com, openldap-software(a)openldap.org. It may contain privileged and confidential information that is exempt from disclosure by law and if you are not an intended recipient, you must not copy, distribute or take any action in reliance on it. If you have received this e-mail in error, you may notify us by telephone on 44 (0)161 832 7200. E-mail transmission cannot be guaranteed to be secure or error-free. The sender (carl.johnstone(a)gmgrd.co.uk) therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
Scanned by MailDefender - managed email security from intY - www.maildefender.net
14 years, 6 months