Error code 65 - invalid structural object class chain (groupOfUniqueNames/posixGroup)]
by Casey Jordan
Hi group,
I am trying to import an ldif and I keep getting this error which has me
totally stumped:
[LDAP: error code 65 - invalid structural object class chain
(groupOfUniqueNames/posixGroup)]
( And here is the attributes it fails on )
dn: cn=dba,ou=Groups,dc=exist,dc=easydita , dc=com
gidNumber: 1
objectClass: groupOfUniqueNames
objectClass: posixGroup
uniqueMember: uid=admin,ou=Users,dc=exist,dc=easydita , dc=com
cn: dba
I assume this has something to do with a conflict between posixGroup and
groupOfUniqueNames, but I am pretty green on this stuff so I am not sure
what I need to do to resolve this.
Any help would be much appreciated.
Thanks,
Casey
--
--
Casey Jordan
easyDITA a product of Jorsek LLC
"CaseyDJordan" on LinkedIn, Twitter & Facebook
Cell (585) 348 7399
Office (585) 239 6060
easydita.com
This message is intended only for the use of the Addressee(s) and may
contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient,
please be advised that any disclosure copying, distribution, or use of
the information contained herein is prohibited. If you have received
this communication in error, please destroy all copies of the message,
whether in electronic or hard copy format, as well as attachments, and
immediately contact the sender by replying to this e-mail or by phone.
Thank you.
10 years, 10 months
Re: newbie problem importing ldap
by deconya
Hi
Are you sure? I have a server working and not has any slapd.conf inside. The
new server too. Are two ubuntu 9.04 server.
Thanks
2011/3/18 Jonathan Clarke <jonathan(a)openldap.org>
> On 18/03/11 15:42, deconya wrote:
> > Ok and where i can change it?
> >
> > Mi ldap.conf only has:
> >
> > base dc=esci,dc=es
> >
> > uri ldapi://127.0.0.1/ <http://127.0.0.1/>
> >
> > ldap_version 3
> >
> > rootbinddn cn=admin,dc=esci,dc=es
> >
> > Is other file?
>
> The configuration file for OpenLDAP server is slapd.conf. ldap.conf is
> for LDAP *clients*, thus irrelevant here.
>
> Jonathan
>
> >
> > 2011/3/18 Benjamin Griese <der.darude(a)gmail.com
> > <mailto:der.darude@gmail.com>>
> >
> > Hello,
> > your database suffix doesn't fit to your ldif, you're missing "dc=es"
> > in your database suffix declaration.
> >
> > bye.
> >
> > On Fri, Mar 18, 2011 at 13:11, deconya <elmailpersonal(a)gmail.com
> > <mailto:elmailpersonal@gmail.com>> wrote:
> > > Hi list
> > >
> > > Im having problems configuring a new slave ldap server. I made
> > >
> > > # slapcat -l master.ldif in masters server
> > >
> > > Inside ubuntu server with openldap 2.4 Im going to import using
> > >
> > > # slapadd -c -l ./master.ldif
> > >
> > > Appears:
> > >
> > > slapadd: line 1: database (dc=esci) not configured to hold
> > "dc=esci,dc=es"
> > > slapadd: line 1: database (dc=esci) not configured to hold
> > "dc=esci,dc=es"
> > > slapadd: line 19: database (dc=esci) not configured to hold
> > > "cn=admin,dc=esci,dc=es"
> > > slapadd: line 19: database (dc=esci) not configured to hold
> > > "cn=admin,dc=esci,dc=es"
> > > slapadd: line 33: database (dc=esci) not configured to hold
> > > "ou=Users,dc=esci,dc=es"
> > > slapadd: line 33: database (dc=esci) not configured to hold
> > > "ou=users,dc=esci,dc=es"
> > > slapadd: line 45: database (dc=esci) not configured to hold
> > > "ou=Groups,dc=esci,dc=es"
> > > slapadd: line 45: database (dc=esci) not configured to hold
> > > "ou=groups,dc=esci,dc=es"
> > > slapadd: line 57: database (dc=esci) not configured to hold
> > > "ou=Computers,dc=esci,dc=es"
> > > slapadd: line 57: database (dc=esci) not configured to hold
> > > "ou=computers,dc=esci,dc=es"
> > > slapadd: line 69: database (dc=esci) not configured to hold
> > > "ou=Idmap,dc=esci,dc=es"
> > > slapadd: line 69: database (dc=esci) not configured to hold
> > > "ou=idmap,dc=esci,dc=es"
> > >
> > > And more errores type:
> > >
> > > str2entry: invalid value for attributeType objectClass #4 (syntax
> > > 1.3.6.1.4.1.1466.115.121.1.38)
> > > slapadd: could not parse entry (line=123)
> > >
> > > Only I installed openldap package and inside schema folder I added
> > the same
> > > schema archives.
> > >
> > > What step Im wrong?
> > >
> > > Thanks And Best Regards
> > >
> >
> >
> >
> > --
> > To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To
> > be is to do -- Sartre | Do be do be do -- Sinatra
> >
> >
>
>
10 years, 10 months
Confused about pwdpolicy
by Luo, Frank Y.F. Mr.
I have an administrative user "uid=admin,ou=people,dc=compnay,dc=com"
and The first ACI sentence is like this
access to *
by dn="
uid=admin,ou=people,dc=compnay,dc=com" manage
... {omitted} by * break
access to .....
{omitted}
I assume that allows this admin user to manage all the attribute (*) including changing userPassword for all users. But it turns out that I still need to set pwdAllowUserChange to TRUE in the default pwdpolicy. But as I understand this password policy controls users changing their own password, not an administrator covered by above ACI. Here I copied from the man page.
pwdAllowUserChange
This attribute specifies whether users are allowed to change their own
passwords or not. If pwdAllowUserChange is set to "TRUE", or if the
attribute is not present, users will be allowed to change their own
passwords. If its value is "FALSE", users will not be allowed to
change their own passwords.
There must be some misundersanding here. Anyone can help?
Thanks
Frank
10 years, 10 months
newbie problem importing ldap
by deconya
Hi list
Im having problems configuring a new slave ldap server. I made
# slapcat -l master.ldif in masters server
Inside ubuntu server with openldap 2.4 Im going to import using
# slapadd -c -l ./master.ldif
Appears:
slapadd: line 1: database (dc=esci) not configured to hold "dc=esci,dc=es"
slapadd: line 1: database (dc=esci) not configured to hold "dc=esci,dc=es"
slapadd: line 19: database (dc=esci) not configured to hold
"cn=admin,dc=esci,dc=es"
slapadd: line 19: database (dc=esci) not configured to hold
"cn=admin,dc=esci,dc=es"
slapadd: line 33: database (dc=esci) not configured to hold
"ou=Users,dc=esci,dc=es"
slapadd: line 33: database (dc=esci) not configured to hold
"ou=users,dc=esci,dc=es"
slapadd: line 45: database (dc=esci) not configured to hold
"ou=Groups,dc=esci,dc=es"
slapadd: line 45: database (dc=esci) not configured to hold
"ou=groups,dc=esci,dc=es"
slapadd: line 57: database (dc=esci) not configured to hold
"ou=Computers,dc=esci,dc=es"
slapadd: line 57: database (dc=esci) not configured to hold
"ou=computers,dc=esci,dc=es"
slapadd: line 69: database (dc=esci) not configured to hold
"ou=Idmap,dc=esci,dc=es"
slapadd: line 69: database (dc=esci) not configured to hold
"ou=idmap,dc=esci,dc=es"
And more errores type:
str2entry: invalid value for attributeType objectClass #4 (syntax
1.3.6.1.4.1.1466.115.121.1.38)
slapadd: could not parse entry (line=123)
Only I installed openldap package and inside schema folder I added the same
schema archives.
What step Im wrong?
Thanks And Best Regards
10 years, 10 months
openldap installed, running but can't connect remotely
by Casey Jordan
Hi group,
I hope this is the right list to post this under. I have been having a
problem connecting to an ldap server I just set up on ubuntu 10.10
I can use ldapsearch locally and get good results.
but when I try to connect remotely IE:
*sudo ldapsearch -xLLL -W -H ldap://ice.rit.edu -d1 "dc=easydita,dc=com"*
(See end of debug)
ldap_url_parse_ext(ldap://ice.rit.edu)
ldap_create
ldap_url_parse_ext(ldap://ice.rit.edu:389/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ice.rit.edu:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 34 bytes to sd 3
ldap_result ld 0xb8940170 msgid 1
wait4msg ld 0xb8940170 msgid 1 (infinite timeout)
wait4msg continue ld 0xb8940170 msgid 1 all 1
** ld 0xb8940170 Connections:
* host: coheed.rit.edu port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Mar 17 19:42:29 2011
** ld 0xb8940170 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0xb8940170 request count 1 (abandoned 0)
** ld 0xb8940170 Response Queue:
Empty
ld 0xb8940170 response count 0
ldap_chkResponseList ld 0xb8940170 msgid 1 all 1
ldap_chkResponseList returns ld 0xb8940170 NULL
ldap_int_select
read1msg: ld 0xb8940170 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0xb8940170 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0xb8940170 0 new referrals
read1msg: mark request completed, ld 0xb8940170 msgid 1
request done: ld 0xb8940170 msgid 1
res_errno: 49, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
*ldap_bind: Invalid credentials (49)*
I think I set up my admin password correctly, but I don't know how to verify
this.
This info may help too: Contents of
/etc/ldap/slapd.d/cn=config/olcDatabase={0}config.ldif
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=cn=localroot,cn=config manage by * break
olcRootDN: cn=admin,cn=config
structuralObjectClass: olcDatabaseConfig
entryUUID: eca09490-e524-102f-87c5-17d7a82e8985
creatorsName: cn=config
createTimestamp: 20110317205733Z
entryCSN: 20110317205733.193089Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110317205733Z
I've spent about 5 hours now trying to get this to work so any help would be
much appreciated.
Thanks
Casey
--
--
Casey Jordan
easyDITA a product of Jorsek LLC
"CaseyDJordan" on LinkedIn, Twitter & Facebook
Cell (585) 348 7399
Office (585) 239 6060
easydita.com
This message is intended only for the use of the Addressee(s) and may
contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient,
please be advised that any disclosure copying, distribution, or use of
the information contained herein is prohibited. If you have received
this communication in error, please destroy all copies of the message,
whether in electronic or hard copy format, as well as attachments, and
immediately contact the sender by replying to this e-mail or by phone.
Thank you.
10 years, 10 months
OpenLDAP migration from 2.3 to 2.4
by jpb@bordengrammar.kent.sch.uk
Hi All,
I'm currently in the progress of moving from v2.3 to 2.4 and have been
following the procedure shown in the documentation for switching from the
old slapd.conf to the new cn= format, i.e. slaptest -f <path> -F path> .
If I copy over slapd.conf from my old server and run slapd -d 256 , it
starts perfectly and answers querires, etc.. If, on the other hand, I run
the slaptest command shown above I get the following:
<= str2entry(cn={1}core) -> 0x7fda53d38798
=> access_allowed: search access to "cn={1}core,cn=schema,cn=config"
"objectClass" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
olcAttributeTypes: value #0 olcAttributeTypes: Duplicate attributeType:
"2.5.4.2"
config error processing cn={1}core,cn=schema,cn=config: olcAttributeTypes:
Duplicate attributeType: "2.5.4.2"
send_ldap_result: conn=-1 op=0 p=0
send_ldap_result: err=80 matched="" text=""
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
I've been around Google and have found no solutions. My slapd.conf is
years old and was made according to the smbldap tutorial originally
written by IDEALX. The file is shown below and any info is welcome.
Thanks,
Julian
####slapd.conf ####
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
database bdb
directory /var/lib/ldap
suffix "dc=bordengrammar,dc=kent,dc=sch,dc=uk"
rootdn "cn=Administrator,dc=bordengrammar,dc=kent,dc=sch,dc=uk"
sizelimit 10000
idletimeout 3700
rootpw {SSHA}<removed>
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
# TLSCertificateFile /etc/openldap/cacerts/ldap.cert
# TLSCertificateKeyFile /etc/openldap/cacerts/ldap.key
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by * read
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by dn="cn=nssldap,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by self write
by anonymous auth
by * none
access to
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by * read
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by self write
by * read
access to
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by self write
by * read
access to dn.base="dc=bordengrammar,dc=kent,dc=sch,dc=uk"
by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by * none
access to dn="ou=Users,dc=bordengrammar,dc=kent,dc=sch,dc=uk"
by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by * none
access to dn="ou=Groups,dc=bordengrammar,dc=kent,dc=sch,dc=uk"
by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by * none
access to dn="ou=Computers,dc=bordengrammar,dc=kent,dc=sch,dc=uk"
by dn="cn=samba,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by dn="cn=smbldap-tools,ou=DSA,dc=bordengrammar,dc=kent,dc=sch,dc=uk" write
by * none
access to *
by dn="cn=slapmaster,ou=Users,dc=bordengrammar,dc=kent,dc=sch,dc=uk" read
by self read
by * none
10 years, 10 months
ppolicy pwdMinLenght, pwdAccountLockedTime and pwdLockoutDuration don't work as supposed
by Theo Alves
Hello there,
We have 40 machines on an educational informatics lab authenticating
with LDAP. I am using python ldap module as management tool. I am
experiencing two problems at now. The first one is when an user access ldap
by python the ppolicy pwdMinLenght doesn't work. The user can freely put a
password too short. That doesn't happen when using passwd. Check out the
python code snip:
import ldap
dn = 'uid=%s,ou=People,dc=example,dc=com' % 'user1'
con = ldap.initialize('ldapi:///')
con.bind_s(dn, raw_input('Password: ')) #getting the present password
con.passwd_s(dn, None, '1')
The to default_ppolicy entry pwdMinLenght is setted to 5, even so the
code above works to regular users and they can put passwords too short.
The second thing is in the lab sometimes users should be disabled for
time periods (2 weeks for instance). I guessed I could set
pwdAccountLockedTime to now and pwdLockoutDuration to the duration and the
user would be automatically unlocked after that time, but it doesn't look to
work. I guess this directives are only valid when pwdFailureTime is setted
by the authentication methods. Can someone confirm that I can't set manually
pwdAccountLockedTime and pwdLockoutDuration to block user access to a
determined period? What would be the alternatives?
I hope I haven't missed the answers because a lack of English skills. I
have "googled" a lot about that, but nothing useful came up. The mail list
archives search in openldap-technical doesn't return anything even when I
try ldap, or ppolicy. I browsed some month archives but got nothing by the
e-mail subjects.
Thanks in advance for any help and answers. I hope I have been understood
and sorry about any mistakes I've made concerning the language.
Theo
--
O Pensamento Governa o Universo
http://www.999thnight.com
http://www.unreversed.com
10 years, 10 months
(no subject)
by Juan José Aragonés
Hello
After installing and configuring openLDAP in Linux I’m
trying to do the same in Windows 7. No, it’s not my idea but what my boss wants
me to do. So I downloaded openLDAP from http://www.userbooster.de/en/download/openldap-for-windows.aspx and installed. Configured my slapd.conf as follows:
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/inetorgperson.schema
pidfile ./run/slapd.pid
argsfile ./run/slapd.args
## server permits anonymous binds
allow bind_anon_dn
## Misc security settings
password-hash {SSHA}
#######################################################################
# Database Section
#######################################################################
## Define the beggining of example database
database bdb
## Define the root suffix you serve
suffix "dc=example,dc=com"
## Define a root DN for superuser privilege (Not necessary)
rootdn "cn=Manager,dc=example,dc=com"
## Define the password used with roodn. For this example it will be "secret"
rootpw {SSHA}E7ptTQ3Z6DdkPacF6sO3qXrueUKoM8Kq
## Directory containing the database files
directory ./data/example
## Indexes to maintain
index ObjectClass eq
index cn,sn,mail eq,sub
index departmentNumber eq
## db tunning parameters: cache 2000 entries in memory
cachesize 2000
I started it (slapd -h ldap://) and it works ok. But now I'm trying to connect using ldaps, but I don't find how to create a self-signed certificate in a way as easy as it was in Linux. If you know where there's a good guide I would be really grateful.
Thank you
Joe Aragones
10 years, 10 months
Schema Design :: ACL on Groups by Group Members only
by sim123
Hi There,
I want "n" number of groups (or similar structure which keeps member
information) to be created and only group members have access to those
groups. Members are defined in separate user branch so my DIT look like
dc=example,dc=com
+--ou=people,dc=example,dc=com
+----uid=bjanson,ou=users,dc=example,dc=com
+----uid=matt,ou=users,dc=example,dc=com
+--cn=group1,dc=example,dc=com (groupOfNames)
+----cn=subgroup1,dc=example,dc=com (groupOfNames)
now users bjanson and matt are member of group1, only bjanson is member of
subgroup1. I would like to have ACL defined so only members can access their
group. I don't need any ACL on subgroup as long as only all members of
parent group can access it.
Is it possible to do that in generic form because basic ACL syntax needs
dn/filter in "access to " clause. In my example if I have n groups I will
end up having n access control syntax in slapd.conf, which doesn't sound a
good idea.
Also, I don't need to use groups as such but groupOfNames/ groupOd
UniqueNames are the only classes which support member attribute. Please let
me know if there is any other objectClass I should use.
Thanks for all the help and support, I appreciate it very much.
10 years, 10 months
OpenLDAP 2.4.23 hangs when creating new group objects
by Mark Cave-Ayland
Hi all,
Having just upgraded our internal LDAP server from Debian Lenny (2.4.16
internal build) to Debian Squeeze (2.4.23), we have started to see
instances where the slapd process hangs and stops responding to all
requests until we kill -9 and restart the process.
Bizarrely enough, we can reproduce this pretty much every time when we
try and create a new LDAP group using the GOsa web administration tool.
Is this a known issue at all? Next time it happens, I'm happy to post a
backtrace if you let me know what output you need from gdb to debug this.
Many thanks,
Mark.
--
Mark Cave-Ayland - Senior Technical Architect
PostgreSQL - PostGIS
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk
t: +44 870 608 0063
Sirius Labs: http://www.siriusit.co.uk/labs
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
10 years, 10 months
