Hi,
My understanding is that OpenLDAP software doesn't support subschema modification over LDAP operations, but I'm willing to use OpenLDAP client to change cn=schema on an LDAP server (different vendor) that supports it.
Is that possible? Or is the OpenLDAP checking for cn=schema at the client? The output I'm getting is:
[root@pam ~]# ldapmodify -H ldap://host -D cn=root -w passwd -x -ZZ -a -f /usr/share/doc/krb5-server-ldap-1.6.2/kerberos.ldif ldapmodify: invalid format (line 5) entry: "cn=schema" [root@pam ~]#
Thanks,
-Klaus
Klaus Heinrich Kiwi wrote:
Hi,
My understanding is that OpenLDAP software doesn't support subschema modification over LDAP operations, but I'm willing to use OpenLDAP client to change cn=schema on an LDAP server (different vendor) that supports it.
OpenLDAP supports schema modification by way of LDAP operations. It does not support direct modification to "cn=subschema" (not "cn=schema").
Is that possible? Or is the OpenLDAP checking for cn=schema at the client? The output I'm getting is:
You need to modify the "cn=schema,cn=config" within the config naming context, and changes will be reflected into the "cn=subschema" entry.
[root@pam ~]# ldapmodify -H ldap://host -D cn=root -w passwd -x -ZZ -a -f /usr/share/doc/krb5-server-ldap-1.6.2/kerberos.ldif ldapmodify: invalid format (line 5) entry: "cn=schema"
This error indicates a malformed LDIF. You should check whether line 5 of the entry "cn=schema" is correct. This has nothing to do with OpenLDAP's slapd: the error is detected at the client side.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Klaus Heinrich Kiwi wrote:
but I'm willing to use OpenLDAP client to change cn=schema on an LDAP server (different vendor) that supports it.
Is that possible?
Yes.
Or is the OpenLDAP checking for cn=schema at the client?
No.
The output I'm getting is:
[root@pam ~]# ldapmodify -H ldap://host -D cn=root -w passwd -x -ZZ -a -f /usr/share/doc/krb5-server-ldap-1.6.2/kerberos.ldif ldapmodify: invalid format (line 5) entry: "cn=schema"
You should provide the relevant excerpt of the LDIF file.
Ciao, Michael.
On Tue, 2008-09-16 at 22:01 +0200, Michael Ströder wrote:
[root@pam ~]# ldapmodify -H ldap://host -D cn=root -w passwd -x -ZZ
-a -f /usr/share/doc/krb5-server-ldap-1.6.2/kerberos.ldif
ldapmodify: invalid format (line 5) entry: "cn=schema"
You should provide the relevant excerpt of the LDIF file.
It's the regular MIT-Kerberos Schema that comes with krb5-server-ldap: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi/*checkout*/trunk/src/plugins/kdb/...
Looks like the client doesn't count the commented lines in the above error message, so I'm assuming the problematic lines to be:
dn: cn=schema changetype: modify add: attributetypes attributetypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
I must note that I can correctly import the above LDIF using IBM Server (ITDS 6.1) 'ldapmodify'.
Thanks,
-Klaus
Klaus Heinrich Kiwi wrote:
On Tue, 2008-09-16 at 22:01 +0200, Michael Ströder wrote:
[root@pam ~]# ldapmodify -H ldap://host -D cn=root -w passwd -x -ZZ
-a -f /usr/share/doc/krb5-server-ldap-1.6.2/kerberos.ldif
ldapmodify: invalid format (line 5) entry: "cn=schema"
You should provide the relevant excerpt of the LDIF file.
It's the regular MIT-Kerberos Schema that comes with krb5-server-ldap: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi/*checkout*/trunk/src/plugins/kdb/...
The file might not fully comply to RFC 2849 (LDIF).
Looks like the client doesn't count the commented lines in the above error message, so I'm assuming the problematic lines to be:
dn: cn=schema changetype: modify add: attributetypes attributetypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
I must note that I can correctly import the above LDIF using IBM Server (ITDS 6.1) 'ldapmodify'.
Depends on how liberal the LDIF parser is. I'd clean up the file above: - remove the comments - clean-up line continuations - separate each record by a *single* empty line - watch out which line-endings are used
Ciao, Michael.
openldap-software@openldap.org
-
Klaus Heinrich Kiwi -
Michael Ströder -
Pierangelo Masarati