ldap_add: Invalid syntax (21)
by Graeme Gemmill
Sorry, but after a couple of hours head-scratching, I need some help
from the experts.
Environment: Mandriva Linux 2011_x64, OpenLDAP openldap-2.4.33 (also
jxplorer).
I'm trying to process a large LDIF file produced by Thunderbird. My
slapd.conf file contains
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/mozilla.schema
include /usr/local/etc/openldap/schema/misc.schema
I've progresses to the point where two organizational units have been
created, Personal and NCI.
I get the error when processing the first person in the LDIF file:
dn: cn=Chris
Smith,mail=chris.smith(a)ccb-insight.emv1.net,ou=Personal,dc=gemmills,dc=name
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: mozillaAbPersonAlpha
cn: Chris Smith
mail: chris.smith(a)ccb-insight.emv1.net
#modifytimestamp: 1314088910
The full error message is ldap_add: Invalid syntax (21)
additional info: objectclass: value #4 invalid per syntax,
which points to a problem with the mozillaABPersonAlpha object.
here is the log output:
add objectclass:
top
person
organizationalPerson
inetOrgPerson
mozillaAbPersonAlpha
add cn:
Chris Smith
add mail:
chris.smith(a)ccb-insight.emv1.net
adding new entry "cn=Chris
Smith,mail=chris.smith(a)ccb-insight.emv1.net,ou=Personal,dc=gemmills,dc=name"
I can't see why either of these attributes should give a problem.
As a side issue: is it significant that KWrite doesn't colour the
"objectclass: mozillaAbPersonAlpha" line in the LDIF file the same as
the other objectclass lines?
Your comments/help will be gratefully received.
Graeme
8 years, 8 months
RE: getent passwd inconsistent loginShell with ldapsearch [ISSUE RESOLVED]
by Rodney Simioni
ISSUE RESOLVED
I didn't have nslcd started.
Thanks everybody for your help.
-----Original Message-----
From: Dan White [mailto:dwhite@olp.net]
Sent: Tuesday, March 12, 2013 11:07 AM
To: Rodney Simioni
Cc: openldap-technical(a)openldap.org
Subject: Re: getent passwd inconsistent loginShell with ldapsearch
On 03/12/13 10:19 -0400, Rodney Simioni wrote:
>I removed ldap from nsswitch.conf. I restarted slapd and sssd.
>
>There is still inconsistencies between getent and ldapsearch:
>
>[root@rodster sssd]# getent passwd meathead08
>meathead08:*:343108:343108:Johnny
>Appleseed:/home/meathead08:/bin/noshell
>
>ldapsearch -w xxxx -D "cn=manager,dc=wh,dc=local"
>homeDirectory: /home/meathead08
>loginShell: /bin/bash
>>/etc/nsswitch.conf has:
>>
>>passwd: files sss ldap
>>shadow: files sss ldap
Your problem does not appear to be openldap related.
Try alternatively removing 'files' and 'sss' from your nsswitch.conf file, and then running getent again. If the problem persists in both scenarios, then you've got a caching issue. If the problem exists in only one of the cases, then you know who to blame.
--
Dan White
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
8 years, 8 months
RE: getent passwd inconsistent loginShell with ldapsearch
by Rodney Simioni
I think this may have fixed it. In my ldap.conf I had:
URI ldap://127.0.0.1/
I changed it to the host name:
URI ldap://narf.com/
I restarted slapd and now they are consistent.
From: Rodney Simioni
Sent: Friday, March 08, 2013 4:14 PM
To: openldap-technical(a)openldap.org
Subject: getent passwd inconsistent loginShell with ldapsearch
Hi,
When I do a 'getent check72 passwd' I get:
check72:*:6072:6072:Johnny Appleseed:/home/check72:/bin/bash
But when I do a ldapsearch command I get:
# check72, people, wh.local
dn: uid=check72,ou=people,dc=wh,dc=local
uid: check72
cn: Johnny Appleseed
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e1NTSEF9OWVHdTdPVHIwVE15ajNQNEphdG9GR1cwZnQxa2Ftb3k=
shadowLastChange: 15140
shadowMax: 99999
shadowWarning: 7
uidNumber: 6072
gidNumber: 6072
homeDirectory: /home/check72
loginShell: /bin/noshell
# check72, group, wh.local
dn: cn=check72,ou=group,dc=wh,dc=local
objectClass: posixGroup
objectClass: top
cn: check72
gidNumber: 6072
userPassword:: e0NSWVBUfXg=
# search result
search: 2
result: 0 Success
I have rstarted slapd and nscd, any clue? Thanks in advance.
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.
8 years, 8 months
ACL by objectClass
by Evgeny Basov
Hello, everybody.
I have this structure:
dn: o=z
objectclass: organization
objectclass: top
o: z
dn: domainName=example.org,o=z
objectclass: mailDomain
objectclass: top
domainname: example.org
dn: uid=user,domainName=example.org,o=z
objectclass: account
objectclass: mailUser
objectclass: top
mail: user(a)example.org
uid: user
and want to grant access only for members of subtree of every domainName:
dn: ou=Admins,domainName=example.org,o=z
objectclass: organizationalUnit
objectclass: top
ou: Admins
dn: uid=postmaster,ou=Admins,domainName=example.org,o=z
objectclass: account
objectclass: mailAdmin
objectclass: top
mail: postmaster(a)example.org
uid: postmaster
write ACL :
{0}to attrs=userPassword
by self write
by anonymous auth
by * none
{1}to dn.regex="^(.+,)?(domainName=[^,]+,o=z)$"
by dn.onelevel,expand="ou=Admins,$2" write
{2}to *
by self write
and all working fine, but I want to add something this:
dn: uid=admin,domainName=example.org,o=z
objectclass: account
objectclass: mailAdmin
objectclass: top
mail: admin(a)example.org
uid: admin
and rewrite ACL
to dn.regex="^(.+,)?(domainName=[^,]+,o=z)$"
by dn.onelevel,expand="ou=Admins,$2" write
for grant write access for all subentries of domainName which has
objectClass=mailAdmin .
Is it possible? How can I do it?
8 years, 8 months
Data validation
by bob@swin.edu.au
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Can anyone point me to a means of performing some sort of data validation on input data
at the server end?
Specifically, I want to store email addresses to be looked up by sendmail when doing alias
processing. I want to have these aliases managed by users who may not be totally
trustworthy, so I'd like to knock out any attempts to add aliases that have redirection or
pipe operators in them.
The printable string schema syntax (OID=1.3.6.1.4.1.1466.115.121.1.44) is pretty close
to what I need, but it doesn't include the '@' character.
Any ideas?
Thanks in advance,
Bob.....
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32)
Comment: No comment
iD8DBQFRPneLpjfLzfdVw6YRAjueAKCV7fVyve4m0wTNy0S4/FNMrdT2XACcCryX
Sn7CpG8ZHVVlUn+mu9kLE00=
=nql5
-----END PGP SIGNATURE-----
8 years, 8 months
shadowLastChange missing after update
by Maria McKinley
Hi there,
I recently changed from the slapd.conf configuration to the slapd.d
configuration. Everything seemed to go reasonably well, but for some reason
the shadowLastChange attribute was missing from all of the people. When I
try to add it back in, I get:
ldap_add: Object class violation (65) additional info: no objectClass
attribute
but, I seem to have the schema and objectClasses for ShadowLastChange:
annette:~# ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=schema,cn=config
"(objectClass=olcSchemaConfig)" dn
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: cn={4}misc,cn=schema,cn=config
maria@mimi:~/sysadmin$ ldapsearch -xLLL "uid=jd"
dn: uid=jd,ou=people,dc=example,dc=com
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: inetLocalMailRecipient
cn: Jochen Ditterich
shadowMax: 365
gidNumber: 100
uid: jd
homeDirectory: /home/jd
mailRoutingAddress: jd(a)example.com
uidNumber: 1025
sn: Ditterich
shadowWarning: 7
mailLocalAddress: jd
mail: jd(a)example.com
loginShell: /bin/bash
Anyone have any idea what might be going on? What am I missing?
thanks,
maria
8 years, 8 months
Import base64 info
by arantza serrano
Hello,
I’m trying to import my LDIF where some attributes are in base64:
/opt/openldap/bin/ldapadd -x -D "root_dn" -w pass_dn << _EOF
dn: uid=usu3,ou=users,o=my_organization
uid: usu2
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
cn:: Q0FNSdFBCg==
sn: my_sn
mail: my_mail(a)mydomain.com
userPassword: usuario
> _EOF
Then I get this error:
adding new entry " uid=usu3,ou=users,o=my_organization "
ldap_add: Invalid syntax (21)
additional info: cn: value #0 invalid per syntax
If I decode the value, I get the same error:
/opt/openldap/bin/ldapadd -x -D "root_dn" -w pass_dn << _EOF
dn: uid=usu3,ou=users,o=my_organization
uid: usu2
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
cn: CAMIÑA
sn: my_sn
mail: my_mail(a)mydomain.com
userPassword: usuario
_EOF
adding new entry " uid=usu3,ou=users,o=my_organization "
ldap_add: Invalid syntax (21)
additional info: cn: value #0 invalid per syntax
How can I import my LDIF?
Thanks!
8 years, 8 months
Re: Import base64 info
by Jorge.armijo
elimina el caracter especial y prueb asi ese problema tenia yo usa la herramienta grafica ldapexplorer
Enviado desde Samsung Mobile
arantza serrano <zazu2276(a)hotmail.com> escribió:
Hello,
I’m trying to import my LDIF where some attributes are in base64:
/opt/openldap/bin/ldapadd -x -D "root_dn" -w pass_dn << _EOF
dn: uid=usu3,ou=users,o=my_organization
uid: usu2
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
cn:: Q0FNSdFBCg==
sn: my_sn
mail: my_mail(a)mydomain.com
userPassword: usuario
> _EOF
Then I get this error:
adding new entry " uid=usu3,ou=users,o=my_organization "
ldap_add: Invalid syntax (21)
additional info: cn: value #0 invalid per syntax
If I decode the value, I get the same error:
/opt/openldap/bin/ldapadd -x -D "root_dn" -w pass_dn << _EOF
dn: uid=usu3,ou=users,o=my_organization
uid: usu2
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
cn: CAMIÑA
sn: my_sn
mail: my_mail(a)mydomain.com
userPassword: usuario
_EOF
adding new entry " uid=usu3,ou=users,o=my_organization "
ldap_add: Invalid syntax (21)
additional info: cn: value #0 invalid per syntax
How can I import my LDIF?
Thanks!
8 years, 8 months
ldap start and stop scripts
by francesco.policastro@selex-es.com
Hi,
Can anyone address me to a script to start and stop openldap? I mean a
script to use with chkconfig.
What I found online is somehow obsolete, i.e. it refers to slurpd and
slapd.conf, with no reference to slapd.d
I installed rev. 2.4.33 from sources.
Thanks in advance,
Francesco
8 years, 8 months
