Hi,
I want to add a new objectclass using an ldif; this objectclass requires some attributes (according to schema). I can't make it work.
For posixAccount class, required attributes are: cn gidNumber homeDirectory uid uidNumber
I already have cn and uid.
I am trying:
dn: uid=userx,ou=people,dc=example,dc=com changetype: modify add: ObjectClass objectClass: posixAccount uidNumber: 1700 homeDirectory: /var/members/userx gidNumber: 48 loginShell: /bin/false
and it fails.
I've tried other ways too, like including existing objectclasses in the LDIF (I've read about that in a blog), using a separate add statement for optional attribute loginShell, etc. but nothing worked.
If the ObjectClass to add does not specify REQUIRED attributes in the schema, there is no problem in adding it.
How should I formulate the LDIF?
Please advise.
Thanks, Nick
Nick Milas writes:
dn: uid=userx,ou=people,dc=example,dc=com changetype: modify add: ObjectClass objectClass: posixAccount uidNumber: 1700 (...)
With 'changetype: modify', for every attribute type you need 'add: <attrtype>' in front and a line with just '-' after, to separate it from next attr.type. See 1st 'man ldapmodify' example.
Beyond that - it's usually easier to help when you give the error message and the command line you used, not just "it fails".
On 16/12/2011 3:22 μμ, Hallvard Breien Furuseth wrote:
With 'changetype: modify', for every attribute type you need 'add:<attrtype>' in front and a line with just '-' after, to separate it from next attr.type. See 1st 'man ldapmodify' example.
Beyond that - it's usually easier to help when you give the error message and the command line you used, not just "it fails".
Thanks for the reply.
I have tried using ldapmodify and the following ldif file:
dn: uid=userx,ou=people,dc=example,dc=com changetype: modify add: ObjectClass objectClass: posixAccount - add: uidNumber uidNumber: 1700 - add: homeDirectory homeDirectory: /var/members/userx - add: gidNumber gidNumber: 48 - add: loginShell loginShell: /bin/false
I found that this works fine using the openldap ldapmodify tool. Unfortunately, however, it doesn't work with any other tool (that's why I didn't succeed before). I tried with phpLDAPadmin 1.1.0.7, JXplorer (3.3 beta) and ApacheDS (2.0.0 beta) and all return an error.
phpLDAPadmin: LDIF Parse Error / Description: The attribute to modify doesnt match the one specified by the add attribute. JXplorer: javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - add: attribute type undefined] ApacheDS: #!ERROR Record is invalid
Some incompatibility in LDIF syntax perhaps? I'll continue testing to see what should be acceptable LDIF syntax for such tools.
Any feedback/experience will be welcome.
Thanks, Nick
Nick Milas writes:
add: ObjectClass objectClass: posixAccount
phpLDAPadmin: LDIF Parse Error / Description: The attribute to modify doesnt match the one specified by the add attribute.
Maybe it does a case-sensisite compare. Try lowercase 'O'
JXplorer: javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - add: attribute type undefined] ApacheDS: #!ERROR Record is invalid
WTF... Maybe it wants the missing '-' after the entry. OpenLDAP doesn't require it, but possibly the LDIF standard does.
On 16/12/2011 4:53 μμ, Hallvard Breien Furuseth wrote:
WTF... Maybe it wants the missing '-' after the entry. OpenLDAP doesn't require it, but possibly the LDIF standard does.
Tried objectClass instead of ObjectClass (in all following tests). Then:
phpLDAPadmin does not work either with or without the '-' at the bottom:
LDIF text import Could not modify object: uid=userx,ou=people,dc=example,dc=com LDAP said: LDAP_OBJECT_CLASS_VIOLATION You tried to perform an operation that would cause an undefined attribute to exist or that would remove a required attribute, given the current list of ObjectClasses. This can also occur if you do not specify a structural objectClass when creating an entry, or if you specify more than one structural objectClass.
JXplorer also does not work with or without the '-' at the bottom: With the '-':
java.lang.RuntimeException: "Error - illegal line in ldif file " + "(" + lineNumber +") in LDIF file: + " + fileName + "\n" + attributeValueText
Without the '-':
javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - add: attribute type undefined]; remaining name 'uid=userx,ou=people,dc=example,dc=com'
ApacheDS: WORKS only WITHOUT the '-' at the bottom.
With the '-' at the bottom: #!ERROR Record is invalid
So, where are we? I guess I could contact those developers (ApacheDS and JXplorer at least) and tell them so they can do something about it...
Nick
On 16/12/2011 7:34 μμ, Nick Milas wrote:
ApacheDS: WORKS only WITHOUT the '-' at the bottom.
Correction: Apache Directory Studio LDIF import works fine both with and without the '-' at the bottom. It just needs a CR at the end of the bottom line with text (in the LDIF file). I found that these LDIF imports were failing because the bottom '-' was not followed by a CR. If the bottom LDIF line (whichever it might be) didn't have a CR at the end, the file wouldn't be imported correctly.
Tests with Apache Directory Studio were on Windows OS.
Nick
Nick Milas wrote:
On 16/12/2011 3:22 μμ, Hallvard Breien Furuseth wrote:
With 'changetype: modify', for every attribute type you need 'add:<attrtype>' in front and a line with just '-' after, to separate it from next attr.type. See 1st 'man ldapmodify' example.
Beyond that - it's usually easier to help when you give the error message and the command line you used, not just "it fails".
Thanks for the reply.
I have tried using ldapmodify and the following ldif file:
dn: uid=userx,ou=people,dc=example,dc=com changetype: modify add: ObjectClass objectClass: posixAccount - add: uidNumber uidNumber: 1700 - add: homeDirectory homeDirectory: /var/members/userx - add: gidNumber gidNumber: 48 - add: loginShell loginShell: /bin/falseI found that this works fine using the openldap ldapmodify tool. Unfortunately, however, it doesn't work with any other tool (that's why I didn't succeed before). I tried with phpLDAPadmin 1.1.0.7, JXplorer (3.3 beta) and ApacheDS (2.0.0 beta) and all return an error.
phpLDAPadmin: LDIF Parse Error / Description: The attribute to modify doesnt match the one specified by the add attribute. JXplorer: javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - add: attribute type undefined] ApacheDS: #!ERROR Record is invalid
Some incompatibility in LDIF syntax perhaps? I'll continue testing to see what should be acceptable LDIF syntax for such tools.
Any feedback/experience will be welcome.
I have had a similiar problem with gq. gq is just another gtk based client. The problem get solved if i add the objectclass top prior to add any Auxiliary objectclass.
Yes, i know that openldap does not require the objectclass top, but some clients do their own verifiation.
Thanks, Nick
openldap-technical@openldap.org
-
Hallvard Breien Furuseth -
harry.jede@arcor.de -
Nick Milas