Greetings,
I hope this is an appropriate mailing list to ask for some assistance. I will state up front that my LDAP experience is extremely limited - essentially noob level.
I've been attempting to set up openldap 2.4.39 on CentOS 6 via the official distribution packages. The server is up and running, and my application is connecting successfully, and attempting to add entries to the directory; so I believe I have the most fundamentals in place like the directory manager password, and basic base DN. When connecting with an LDAP browser, I see "dc=valnet,dc=net" which was the configured base DN.
When my application attempts to add to the directory it searches for the entry, then adds if the entry isn't found. I'm receiving this error:
54760bfd conn=1003 op=971 do_search: invalid dn: "x500UniqueIdentifier=45270,dc=valnet,dc=net" 54760bfd conn=1003 op=971 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN 54760bfd conn=1003 op=972 do_add: invalid dn (x500UniqueIdentifier=45270,dc=valnet,dc=net) 54760bfd conn=1003 op=972 RESULT tag=105 err=34 text=invalid DN
I suspect that I am missing some sort of extremely basic configuration item, but I've been having a very very difficult time locating relevant documentation - everything I find in my searches references the old style configuration, not the new style LDIF configuration with cn=config directories, nor have I found any information about how to troubleshoot an "invalid DN" error. It appears that I may be missing a schema file such as inetOrgPerson or nis.
The application is attempting to create entries with these attributes:
Primary Key: x500UniqueIdentifier Attributes: cn, uid, sn, givenname, userPassword, dn, x500UniqueIdentifier
I would appreciate some basic guidance as to what to do, or some direction to the proper documentation or guide for solving "invalid DN" while attempting to add entries to the directory.
--On Wednesday, November 26, 2014 11:24 AM -0600 Nick Bright nick.bright@valnet.net wrote:
The application is attempting to create entries with these attributes:
Primary Key: x500UniqueIdentifier Attributes: cn, uid, sn, givenname, userPassword, dn, x500UniqueIdentifier
I would appreciate some basic guidance as to what to do, or some direction to the proper documentation or guide for solving "invalid DN" while attempting to add entries to the directory.
Interesting... I've never seen any one try to use x500UniqueIdentifier as a DN component before. It looks like it expects a bitstring:
olcAttributeTypes: ( 2.5.4.45 NAME 'x500UniqueIdentifier' DESC 'RFC2256: X.500 unique identifier' EQUALITY bitStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
The syntax leads us to:
https://www.ietf.org/rfc/rfc2252.txt
Which, in section 6.3, gives us the requirements and an example:
6.3. Bit String
( 1.3.6.1.4.1.1466.115.121.1.6 DESC 'Bit String' )
Values in this syntax are encoded according to the following BNF:
bitstring = "'" *binary-digit "'B"
binary-digit = "0" / "1"
Example:
'0101111101'B
So clearly, the value your application is supplying is not valid, thus the error is correct. I would suggest using a more appropriate attribute.
--Quanah
--
Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On 11/26/2014 12:00 PM, Quanah Gibson-Mount wrote:
--On Wednesday, November 26, 2014 11:24 AM -0600 Nick Bright nick.bright@valnet.net wrote:
The application is attempting to create entries with these attributes:
Primary Key: x500UniqueIdentifier Attributes: cn, uid, sn, givenname, userPassword, dn, x500UniqueIdentifier
I would appreciate some basic guidance as to what to do, or some direction to the proper documentation or guide for solving "invalid DN" while attempting to add entries to the directory.
Interesting... I've never seen any one try to use x500UniqueIdentifier as a DN component before.
It's the unique id for the source system that's syndicating data to the directory, I've used this configuration before; but it was with "centos-ds".
It looks like it expects a bitstring:
<snip>
So clearly, the value your application is supplying is not valid, thus the error is correct. I would suggest using a more appropriate attribute.
Thank you. I'll attempt to do so. Any suggestions or guidance?
--On Wednesday, November 26, 2014 12:09 PM -0600 Nick Bright nick.bright@valnet.net wrote:
So clearly, the value your application is supplying is not valid, thus the error is correct. I would suggest using a more appropriate attribute.
Thank you. I'll attempt to do so. Any suggestions or guidance?
That will depend a lot on what you want your application to do, and what it is expecting... Many people use uid as the RDN. If you're attempting to hide the uid out of the DN by using a different attribute, then you may want to create your own custom attribute, or find something else out of the various schema that come with openldap that better suits your needs. I.e., I don't know what your end goals/needs are, so it's hard to say anything past generalizations.
--Quanah
--
Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Nick Bright wrote:
On 11/26/2014 12:00 PM, Quanah Gibson-Mount wrote:
--On Wednesday, November 26, 2014 11:24 AM -0600 Nick Bright nick.bright@valnet.net wrote:
The application is attempting to create entries with these attributes:
Primary Key: x500UniqueIdentifier Attributes: cn, uid, sn, givenname, userPassword, dn, x500UniqueIdentifier
I would appreciate some basic guidance as to what to do, or some direction to the proper documentation or guide for solving "invalid DN" while attempting to add entries to the directory.
Interesting... I've never seen any one try to use x500UniqueIdentifier as a DN component before.
It's the unique id for the source system that's syndicating data to the directory, I've used this configuration before; but it was with "centos-ds".
Is "cent-os" the "389-ds"? This directory server has IIRC a less strict schema checking, especially regarding DNs.
I already saw people using 'x500UniqueIdentifier' without knowing about the really correct LDAP syntax and stuffing normal user names therein.
=> you have to sanitize the data when migrating / syncing.
Ciao, Michael.
On 11/26/2014 3:59 PM, Michael Ströder wrote:
Nick Bright wrote:
On 11/26/2014 12:00 PM, Quanah Gibson-Mount wrote:
--On Wednesday, November 26, 2014 11:24 AM -0600 Nick Bright nick.bright@valnet.net wrote:
The application is attempting to create entries with these attributes:
Primary Key: x500UniqueIdentifier Attributes: cn, uid, sn, givenname, userPassword, dn, x500UniqueIdentifier
I would appreciate some basic guidance as to what to do, or some direction to the proper documentation or guide for solving "invalid DN" while attempting to add entries to the directory.
Interesting... I've never seen any one try to use x500UniqueIdentifier as a DN component before.
It's the unique id for the source system that's syndicating data to the directory, I've used this configuration before; but it was with "centos-ds".
Is "cent-os" the "389-ds"? This directory server has IIRC a less strict schema checking, especially regarding DNs.
My previous LDAP integration was with centos-ds (on CentOS 5), which appears to have been replaced by 389-ds. I did have to disable strict schema checking on that implementation.
Thank you for your replies and help, I have determined that as I had a suspected, there was a missing schema of "mailrecipient", and I've been able to successfully add entries after removing that objectclass from my submitting application, in addition I did need to switch the schema profile on my 3rd party application which was attempting to submit data into the directory from "iplanet" to "nis", which uses uid as the primary key.
I appreciate your patience with my lack of clue on the matter ;)
openldap-technical@openldap.org
-
Michael Ströder -
Nick Bright -
Quanah Gibson-Mount