openldap-technical March 2013

openldap-technical@openldap.org

84 participants
80 discussions

ldap_add: Invalid syntax (21)
by Graeme Gemmill 12 Mar '13

12 Mar '13

Sorry, but after a couple of hours head-scratching, I need some help from the experts. Environment: Mandriva Linux 2011_x64, OpenLDAP openldap-2.4.33 (also jxplorer). I'm trying to process a large LDIF file produced by Thunderbird. My slapd.conf file contains include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/mozilla.schema include /usr/local/etc/openldap/schema/misc.schema I've progresses to the point where two organizational units have been created, Personal and NCI. I get the error when processing the first person in the LDIF file: dn: cn=Chris Smith,mail=chris.smith(a)ccb-insight.emv1.net,ou=Personal,dc=gemmills,dc=name objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson objectclass: mozillaAbPersonAlpha cn: Chris Smith mail: chris.smith(a)ccb-insight.emv1.net #modifytimestamp: 1314088910 The full error message is ldap_add: Invalid syntax (21) additional info: objectclass: value #4 invalid per syntax, which points to a problem with the mozillaABPersonAlpha object. here is the log output: add objectclass: top person organizationalPerson inetOrgPerson mozillaAbPersonAlpha add cn: Chris Smith add mail: chris.smith(a)ccb-insight.emv1.net adding new entry "cn=Chris Smith,mail=chris.smith(a)ccb-insight.emv1.net,ou=Personal,dc=gemmills,dc=name" I can't see why either of these attributes should give a problem. As a side issue: is it significant that KWrite doesn't colour the "objectclass: mozillaAbPersonAlpha" line in the LDIF file the same as the other objectclass lines? Your comments/help will be gratefully received. Graeme

3 5

RE: getent passwd inconsistent loginShell with ldapsearch [ISSUE RESOLVED]
by Rodney Simioni 12 Mar '13

12 Mar '13

ISSUE RESOLVED I didn't have nslcd started. Thanks everybody for your help. -----Original Message----- From: Dan White [mailto:dwhite@olp.net] Sent: Tuesday, March 12, 2013 11:07 AM To: Rodney Simioni Cc: openldap-technical(a)openldap.org Subject: Re: getent passwd inconsistent loginShell with ldapsearch On 03/12/13 10:19 -0400, Rodney Simioni wrote: >I removed ldap from nsswitch.conf. I restarted slapd and sssd. > >There is still inconsistencies between getent and ldapsearch: > >[root@rodster sssd]# getent passwd meathead08 >meathead08:*:343108:343108:Johnny >Appleseed:/home/meathead08:/bin/noshell > >ldapsearch -w xxxx -D "cn=manager,dc=wh,dc=local" >homeDirectory: /home/meathead08 >loginShell: /bin/bash >>/etc/nsswitch.conf has: >> >>passwd: files sss ldap >>shadow: files sss ldap Your problem does not appear to be openldap related. Try alternatively removing 'files' and 'sss' from your nsswitch.conf file, and then running getent again. If the problem persists in both scenarios, then you've got a caching issue. If the problem exists in only one of the cases, then you know who to blame. -- Dan White This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.

1 0

RE: getent passwd inconsistent loginShell with ldapsearch
by Rodney Simioni 12 Mar '13

12 Mar '13

I think this may have fixed it. In my ldap.conf I had: URI ldap://127.0.0.1/ I changed it to the host name: URI ldap://narf.com/ I restarted slapd and now they are consistent. From: Rodney Simioni Sent: Friday, March 08, 2013 4:14 PM To: openldap-technical(a)openldap.org Subject: getent passwd inconsistent loginShell with ldapsearch Hi, When I do a 'getent check72 passwd' I get: check72:*:6072:6072:Johnny Appleseed:/home/check72:/bin/bash But when I do a ldapsearch command I get: # check72, people, wh.local dn: uid=check72,ou=people,dc=wh,dc=local uid: check72 cn: Johnny Appleseed objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: e1NTSEF9OWVHdTdPVHIwVE15ajNQNEphdG9GR1cwZnQxa2Ftb3k= shadowLastChange: 15140 shadowMax: 99999 shadowWarning: 7 uidNumber: 6072 gidNumber: 6072 homeDirectory: /home/check72 loginShell: /bin/noshell # check72, group, wh.local dn: cn=check72,ou=group,dc=wh,dc=local objectClass: posixGroup objectClass: top cn: check72 gidNumber: 6072 userPassword:: e0NSWVBUfXg= # search result search: 2 result: 0 Success I have rstarted slapd and nscd, any clue? Thanks in advance. This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio Inc. makes no warranty that this email is error or virus free. Thank you.

4 10

ACL by objectClass
by Evgeny Basov 12 Mar '13

12 Mar '13

Hello, everybody. I have this structure: dn: o=z objectclass: organization objectclass: top o: z dn: domainName=example.org,o=z objectclass: mailDomain objectclass: top domainname: example.org dn: uid=user,domainName=example.org,o=z objectclass: account objectclass: mailUser objectclass: top mail: user(a)example.org uid: user and want to grant access only for members of subtree of every domainName: dn: ou=Admins,domainName=example.org,o=z objectclass: organizationalUnit objectclass: top ou: Admins dn: uid=postmaster,ou=Admins,domainName=example.org,o=z objectclass: account objectclass: mailAdmin objectclass: top mail: postmaster(a)example.org uid: postmaster write ACL : {0}to attrs=userPassword by self write by anonymous auth by * none {1}to dn.regex="^(.+,)?(domainName=[^,]+,o=z)$" by dn.onelevel,expand="ou=Admins,$2" write {2}to * by self write and all working fine, but I want to add something this: dn: uid=admin,domainName=example.org,o=z objectclass: account objectclass: mailAdmin objectclass: top mail: admin(a)example.org uid: admin and rewrite ACL to dn.regex="^(.+,)?(domainName=[^,]+,o=z)$" by dn.onelevel,expand="ou=Admins,$2" write for grant write access for all subentries of domainName which has objectClass=mailAdmin . Is it possible? How can I do it?

1 0

Data validation
by bob＠swin.edu.au 12 Mar '13

12 Mar '13

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Can anyone point me to a means of performing some sort of data validation on input data at the server end? Specifically, I want to store email addresses to be looked up by sendmail when doing alias processing. I want to have these aliases managed by users who may not be totally trustworthy, so I'd like to knock out any attempts to add aliases that have redirection or pipe operators in them. The printable string schema syntax (OID=1.3.6.1.4.1.1466.115.121.1.44) is pretty close to what I need, but it doesn't include the '@' character. Any ideas? Thanks in advance, Bob..... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (MingW32) Comment: No comment iD8DBQFRPneLpjfLzfdVw6YRAjueAKCV7fVyve4m0wTNy0S4/FNMrdT2XACcCryX Sn7CpG8ZHVVlUn+mu9kLE00= =nql5 -----END PGP SIGNATURE-----

2 1

S/Mime configuration
by Jignesh Patel 11 Mar '13

11 Mar '13

How to configure s/mime with openldap 2.4.23? -Jignesh

3 7

shadowLastChange missing after update
by Maria McKinley 11 Mar '13

11 Mar '13

Hi there, I recently changed from the slapd.conf configuration to the slapd.d configuration. Everything seemed to go reasonably well, but for some reason the shadowLastChange attribute was missing from all of the people. When I try to add it back in, I get: ldap_add: Object class violation (65) additional info: no objectClass attribute but, I seem to have the schema and objectClasses for ShadowLastChange: annette:~# ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=schema,cn=config "(objectClass=olcSchemaConfig)" dn dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config dn: cn={4}misc,cn=schema,cn=config maria@mimi:~/sysadmin$ ldapsearch -xLLL "uid=jd" dn: uid=jd,ou=people,dc=example,dc=com objectClass: top objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: inetLocalMailRecipient cn: Jochen Ditterich shadowMax: 365 gidNumber: 100 uid: jd homeDirectory: /home/jd mailRoutingAddress: jd(a)example.com uidNumber: 1025 sn: Ditterich shadowWarning: 7 mailLocalAddress: jd mail: jd(a)example.com loginShell: /bin/bash Anyone have any idea what might be going on? What am I missing? thanks, maria

3 5

Import base64 info
by arantza serrano 11 Mar '13

11 Mar '13

Hello, I’m trying to import my LDIF where some attributes are in base64: /opt/openldap/bin/ldapadd -x -D "root_dn" -w pass_dn << _EOF dn: uid=usu3,ou=users,o=my_organization uid: usu2 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson cn:: Q0FNSdFBCg== sn: my_sn mail: my_mail(a)mydomain.com userPassword: usuario > _EOF Then I get this error: adding new entry " uid=usu3,ou=users,o=my_organization " ldap_add: Invalid syntax (21) additional info: cn: value #0 invalid per syntax If I decode the value, I get the same error: /opt/openldap/bin/ldapadd -x -D "root_dn" -w pass_dn << _EOF dn: uid=usu3,ou=users,o=my_organization uid: usu2 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson cn: CAMIÑA sn: my_sn mail: my_mail(a)mydomain.com userPassword: usuario _EOF adding new entry " uid=usu3,ou=users,o=my_organization " ldap_add: Invalid syntax (21) additional info: cn: value #0 invalid per syntax How can I import my LDIF? Thanks!

5 5

Re: Import base64 info
by Jorge.armijo 11 Mar '13

11 Mar '13

elimina el caracter especial y prueb asi ese problema tenia yo usa la herramienta grafica ldapexplorer Enviado desde Samsung Mobile arantza serrano <zazu2276(a)hotmail.com> escribió: Hello, I’m trying to import my LDIF where some attributes are in base64: /opt/openldap/bin/ldapadd -x -D "root_dn" -w pass_dn << _EOF dn: uid=usu3,ou=users,o=my_organization uid: usu2 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson cn:: Q0FNSdFBCg== sn: my_sn mail: my_mail(a)mydomain.com userPassword: usuario > _EOF Then I get this error: adding new entry " uid=usu3,ou=users,o=my_organization " ldap_add: Invalid syntax (21) additional info: cn: value #0 invalid per syntax If I decode the value, I get the same error: /opt/openldap/bin/ldapadd -x -D "root_dn" -w pass_dn << _EOF dn: uid=usu3,ou=users,o=my_organization uid: usu2 objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson cn: CAMIÑA sn: my_sn mail: my_mail(a)mydomain.com userPassword: usuario _EOF adding new entry " uid=usu3,ou=users,o=my_organization " ldap_add: Invalid syntax (21) additional info: cn: value #0 invalid per syntax How can I import my LDIF? Thanks!

1 0

ldap start and stop scripts
by francesco.policastro＠selex-es.com 11 Mar '13

11 Mar '13

Hi, Can anyone address me to a script to start and stop openldap? I mean a script to use with chkconfig. What I found online is somehow obsolete, i.e. it refers to slurpd and slapd.conf, with no reference to slapd.d I installed rev. 2.4.33 from sources. Thanks in advance, Francesco

3 4

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2013