HELP
I've been able to replace nis.schema with rfc2307bis.schema so that I can have groups with both member and memberUID attributes.
when I try using ldapmodify to add members to the group such as:
echo "dn: cn=newgrou1,ou=Groups,dc=moores,dc=ca changetype: modify add: memberUid memberUid: newuser1 replace: member member: uid=newuser1,ou=People,dc=moores,dc=ca" | /usr/bin/ldapmodify -v -y /etc/ldap.secret -D cn=admin,dc=moores,dc=ca -xH ldap://localhost
it returns the following error message:
ldap_initialize( ldap://localhost:389/??base ) modifying entry "cn=newgrou1,ou=Groups,dc=moores,dc=ca changetype: modify add: memberUid memberUid: newuser1 replace: member member: uid=newuser1,ou=People,dc=moores,dc=ca" ldap_modify: No such object (32) matched DN: ou=People,dc=moores,dc=ca
The group and the user both exist. What is most interesting is that ldapmodify appears to modify my request because slapd itself gives this message:
hdb_referrals: tag=102 target="cn=newgrou1,ou=Groups,dc=moores,dc=ca changetype: modify add: memberUid memberUid: newuser1 replace: member member: uid\3Dnewuser1,ou=People,dc=moores,dc=ca" matched="ou=People,dc=moores,dc=ca" bdb_dn2entry("cn=newgrou1,ou=groups,dc=moores,dc=ca changetype: modify add: memberuid memberuid: newuser1 replace: member member: uid\3Dnewuser1,ou=people,dc=moores,dc=ca") => hdb_dn2id("dc=ca changetype: modify add: memberuid memberuid: newuser1 replace: member member: uid\3Dnewuser1,ou=people,dc=moores,dc=ca") <= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988)
notice that the "uid=newuser" part of my request has been changed to "uid\3Dnewuser". I've tried a number of different combinations and it appears to me that the first '=' is always replace with \3D and then the silly thing tries to look up that element, and low and behold it does not exist.
If I can make this work, then I think I will have group permissions for unix groups working on LDAP.
Does anybody have any idea why ldapmodify would be doing this??????
Darryl Moore wrote:
HELP
I've been able to replace nis.schema with rfc2307bis.schema so that I can have groups with both member and memberUID attributes.
when I try using ldapmodify to add members to the group such as:
echo "dn: cn=newgrou1,ou=Groups,dc=moores,dc=ca changetype: modify add: memberUid memberUid: newuser1 replace: member member: uid=newuser1,ou=People,dc=moores,dc=ca" | /usr/bin/ldapmodify -v -y /etc/ldap.secret -D cn=admin,dc=moores,dc=ca -xH ldap://localhost
Attributes fed to ldapmodify must be separated with line feeds. First line starts with dn:, next line starts with changetype:, etc. Different DNs can be separated with empty lines.
It's not a different DN. It is the value of the 'member' attribute.
I don't believe they do need to have LF separators between attributes. The data I am feeding into ldapmodify was the same data I extracted from a slightly modified version of the ldapaddusertogroup script. So this is how that script does it also.
I can use the same format to make changes that are successful. For example adding only the memberUID works fine.
BTW the original extracted code had 'add:' instead of 'replace:' for the 'member' attribute. The code below is from one of my experimental variations. Both work the same however. NOT!
Any other ideas????
Why is the content of my request being altered like this?
cheers, darryl
Bjørn Ruberg wrote:
Darryl Moore wrote:
HELP
I've been able to replace nis.schema with rfc2307bis.schema so that I can have groups with both member and memberUID attributes.
when I try using ldapmodify to add members to the group such as:
echo "dn: cn=newgrou1,ou=Groups,dc=moores,dc=ca changetype: modify add: memberUid memberUid: newuser1 replace: member member: uid=newuser1,ou=People,dc=moores,dc=ca" | /usr/bin/ldapmodify -v -y /etc/ldap.secret -D cn=admin,dc=moores,dc=ca -xH ldap://localhost
Attributes fed to ldapmodify must be separated with line feeds. First line starts with dn:, next line starts with changetype:, etc. Different DNs can be separated with empty lines.
Darryl Moore writes:
It's not a different DN. It is the value of the 'member' attribute.
I don't believe they do need to have LF separators between attributes.
Your belief is wrong. Read - and believe - 'man ldif'. Or read - and believe - the output from ldapmodify. It told you it modified the entry named "cn=newgrou1,ou=Groups,dc=moores,dc=ca changetype: modify add: memberUid memberUid: newuser1 replace: member member: uid=newuser1,ou=People,dc=moores,dc=ca" All of that is the DN it used.
The data I am feeding into ldapmodify was the same data I extracted from a slightly modified version of the ldapaddusertogroup script. So this is how that script does it also.
So your extraction script is broken, maybe it did echo `something` instead of echo "`something`". Or your cut&paste from the extraction is broken.
Right you are. Thankyou. There really is no predicting what will happen to your data when you work outside the spec.
I've changed it by moving my data into a file which now looks like this:
dn: cn=newgrou1,ou=Groups,dc=moores,dc=ca changetype: modify add: memberUid memberUid: newuser1 add: member member: uid=newuser1,ou=People,dc=moores,dc=ca
Then I run ldapmodify like this:
/usr/bin/ldapmodify -v -y /etc/ldap.secret -D cn=admin,dc=moores,dc=ca -xH ldap://localhost -f ~/test.ldif
Now my reply is this:
ldap_initialize( ldap://localhost:389/??base ) ldapmodify: wrong attributeType at line 5, entry "cn=newgrou1,ou=Groups,dc=moores,dc=ca"
Fingering my user and group reviels the following. (note the existing member entry is from manually creating it via a GUI):
root@bison:~/ldapscripts.bkp# ldapfinger -g newgrou1 dn: cn=newgrou1,ou=Groups,dc=moores,dc=ca objectClass: groupOfNames objectClass: posixGroup gidNumber: 65535 member: uid=test,dc=ca description: Group account cn: newgrou1
root@bison:~/ldapscripts.bkp# ldapfinger newuser1 dn: uid=newuser1,ou=People,dc=moores,dc=ca objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: shadowAccount objectClass: posixAccount cn: newuser1 sn: newsn uid: newuser1 uidNumber: 65535 gidNumber: 100 homeDirectory: /home/newuser1 loginShell: /bin/bash gecos: newuser1 description: User account title: test
Any more pointers?
thanks, darryl
Hallvard B Furuseth wrote:
Darryl Moore writes:
It's not a different DN. It is the value of the 'member' attribute.
I don't believe they do need to have LF separators between attributes.
Your belief is wrong. Read - and believe - 'man ldif'. Or read - and believe - the output from ldapmodify. It told you it modified the entry named "cn=newgrou1,ou=Groups,dc=moores,dc=ca changetype: modify add: memberUid memberUid: newuser1 replace: member member: uid=newuser1,ou=People,dc=moores,dc=ca" All of that is the DN it used.
The data I am feeding into ldapmodify was the same data I extracted from a slightly modified version of the ldapaddusertogroup script. So this is how that script does it also.
So your extraction script is broken, maybe it did echo `something` instead of echo "`something`". Or your cut&paste from the extraction is broken.
Darryl Moore writes:
I've changed it by moving my data into a file which now looks like this:
dn: cn=newgrou1,ou=Groups,dc=moores,dc=ca changetype: modify add: memberUid memberUid: newuser1 add: member member: uid=newuser1,ou=People,dc=moores,dc=ca
And now compare with man ldif, which shows that when you use "changetype:" format you should have a "-" line after the last value of each attribute.
Hallelujah. Thanks. That fixed it.
Now I can get to work on the modification I need to make to the ldapscripts so that I can use them to automate this process.
This is most definitely turning into a lot of work, and I am surprised that I seem to need to do this so that user entries in the ldap database can be used for both Unix logins and group write permissions below the group entries in the database.
replaceing nis with rfc2307 editing ldapscripts and templates
Is there something else I've been missing too? Or is this really the only way to achieve my ends?
cheers, darryl
Hallvard B Furuseth wrote:
Darryl Moore writes:
I've changed it by moving my data into a file which now looks like this:
dn: cn=newgrou1,ou=Groups,dc=moores,dc=ca changetype: modify add: memberUid memberUid: newuser1 add: member member: uid=newuser1,ou=People,dc=moores,dc=ca
And now compare with man ldif, which shows that when you use "changetype:" format you should have a "-" line after the last value of each attribute.
openldap-technical@openldap.org