I have one file that I need to use to import about 50 people, it doesn't like the fact that I have more than one user in the file for some reason. I might have another 200 in the future and need to figure out why it isn't working... Help please.
Is my syntax wrong? Did I place something in the wrong order or something more than once that isn't needed.
I have included two users, all are the same except the actual username.
Help please.
# USER ENTRY dn: cn=New.user01,ou=People,dc=test,dc=com uid: NEW.user01 givenName: NEW.user01 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson userPassword: NEW.user01 sn: NEW.user01 ou: People cn: NEW.user01 objectClass: uidObject objectClass: pwdPolicy pwdAttribute: userPassword objectClass: pwdPolicyChecker pwdMinAge: 86400 pwdMaxAge: 7776002 pwdInHistory: 10 pwdCheckQuality: 2 pwdMinLength: 14 pwdExpireWarning: 432000 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 120 pwdAllowUserChange: TRUE pwdCheckModule: Standard Policy pwdLockout: FALSE
dn: cn=NEW.user02,ou=People,dc=test,dc=com uid: NEW.user02 givenName: NEW.user02 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson userPassword: NEW.user02 sn: NEW.user02 ou: People cn: NEW.user02 objectClass: uidObject objectClass: pwdPolicy pwdAttribute: userPassword objectClass: pwdPolicyChecker pwdMinAge: 86400 pwdMaxAge: 7776002 pwdInHistory: 10 pwdCheckQuality: 2 pwdMinLength: 14 pwdExpireWarning: 432000 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 120 pwdAllowUserChange: TRUE pwdCheckModule: Standard Policy pwdLockout: FALSE
ldapadd -v -d 1 -D "cn=Admin,dc=test,dc=com" -w test -f /tmp/T/.ldif
adding new entry cn=New.user01,ou=People,dc=test,dc=com ldap_add: Type or value exists ldap_add: additional info: objectClass: value #1021 provided more than once
________________________________
CONFIDENTIALITY NOTICE: The information contained in this electronic mail (email) transmission (including attachments), is intended by MCLANE ADVANCED TECHNOLOGIES for the use of the named individual or entity to which it is addressed and may contain information that is privileged, confidential and/or protected as a trade secret. It is not intended for transmission to, or receipt by, any individual or entity other than the named addressee(s). If you have received this email in error, please delete it (including attachments) and any copies thereof without printing, copying or forwarding it, and notify the sender of the error by email reply immediately.
Have you tried adding a single "-" in a new line at the end of each entry before the blank newline? IIRC I have to do this when using ldapmodify commands in-line to indicate the end of a record and the beginning of a new one. Something like this:
dn: cn=blah,dc=domain objectClass: person ... cn: blah -
dn: cn=blah2,dc=domain ...
-Michael Proto
On Thu, Jan 2, 2014 at 12:35 PM, David Barr David.Barr2@mclaneat.comwrote:
I have one file that I need to use to import about 50 people, it doesn’t like the fact that I have more than one user in the file for some reason. I might have another 200 in the future and need to figure out why it isn’t working… Help please.
Is my syntax wrong? Did I place something in the wrong order or something more than once that isn’t needed.
I have included two users, all are the same except the actual username.
Help please.
# USER ENTRY
dn: cn=New.user01,ou=People,dc=test,dc=com
uid: NEW.user01
givenName: NEW.user01
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: NEW.user01
sn: NEW.user01
ou: People
cn: NEW.user01
objectClass: uidObject
objectClass: pwdPolicy
pwdAttribute: userPassword
objectClass: pwdPolicyChecker
pwdMinAge: 86400
pwdMaxAge: 7776002
pwdInHistory: 10
pwdCheckQuality: 2
pwdMinLength: 14
pwdExpireWarning: 432000
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 120
pwdAllowUserChange: TRUE
pwdCheckModule: Standard Policy
pwdLockout: FALSE
dn: cn=NEW.user02,ou=People,dc=test,dc=com
uid: NEW.user02
givenName: NEW.user02
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: NEW.user02
sn: NEW.user02
ou: People
cn: NEW.user02
objectClass: uidObject
objectClass: pwdPolicy
pwdAttribute: userPassword
objectClass: pwdPolicyChecker
pwdMinAge: 86400
pwdMaxAge: 7776002
pwdInHistory: 10
pwdCheckQuality: 2
pwdMinLength: 14
pwdExpireWarning: 432000
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 120
pwdAllowUserChange: TRUE
pwdCheckModule: Standard Policy
pwdLockout: FALSE
ldapadd -v -d 1 -D "cn=Admin,dc=test,dc=com" -w test -f /tmp/T/.ldif
adding new entry cn=New.user01,ou=People,dc=test,dc=com
ldap_add: Type or value exists
ldap_add: additional info: objectClass: value #1021 provided more than once
CONFIDENTIALITY NOTICE: The information contained in this electronic mail (email) transmission (including attachments), is intended by MCLANE ADVANCED TECHNOLOGIES for the use of the named individual or entity to which it is addressed and may contain information that is privileged, confidential and/or protected as a trade secret. It is not intended for transmission to, or receipt by, any individual or entity other than the named addressee(s). If you have received this email in error, please delete it (including attachments) and any copies thereof without printing, copying or forwarding it, and notify the sender of the error by email reply immediately.
On Thu, 2 Jan 2014, Michael Proto wrote:
Have you tried adding a single "-" in a new line at the end of each entry before the blank newline? IIRC I have to do this when using ldapmodify commands in-line to indicate the end of a record and the beginning of a new one. Something like this:
Hmm? A review of the syntax in the LDIF spec (RFC 2849) or the examples in the ldif(5) manpage would show that a "-" line is used only after modify records with an explicit "add:", "replace:", or "delete:" line.
dn: cn=blah,dc=domain objectClass: person ... cn: blah
A quick check shows ldapadd will reject that with an error like this:
adding new entry "cn=blah,dc=domain" ldapadd: update failed: cn=blah,dc=domain ldap_add: Bad parameter to an ldap routine (-9)
It's likely that the original poster's problem is that the blank line between the entries isn't really blank but rather contains spaces. The grammar only permits line-feeds and carriage-return line-feed pairs between entries and not actual space characters. Putting a space there makes it look like a continuation of the previous line, and the next "dn:" line is just an attribute for the entry in progress.
So, use whatever tool you prefer ("cat -vet" is my preference) to verify that the blank lines are really blank and that there aren't other hidden characters in the input file.
Philip Guenther
Low Sensitivity/Aerospace Internal Use Only
Philip, are you saying that if you are using VI in editor mode and turn on set list to make sure that a $ is in the first column as opposed to " $" in the first two columns?
I don't have this problem, but it is something to learn from.
Warron French, MBA, SCSA
From: Philip Guenther pguenther@proofpoint.com To: Michael Proto michael.proto@tstllc.net, Cc: David Barr David.Barr2@mclaneat.com, "openldap-technical@openldap.org" openldap-technical@openldap.org Date: 01/02/2014 01:53 PM Subject: Re: OpenLDAP Multiple User Import Sent by: openldap-technical-bounces@OpenLDAP.org
On Thu, 2 Jan 2014, Michael Proto wrote:
Have you tried adding a single "-" in a new line at the end of each entry before the blank newline? IIRC I have to do this when using ldapmodify commands in-line to indicate the end of a record and the beginning of a new one. Something like this:
Hmm? A review of the syntax in the LDIF spec (RFC 2849) or the examples in the ldif(5) manpage would show that a "-" line is used only after modify records with an explicit "add:", "replace:", or "delete:" line.
dn: cn=blah,dc=domain objectClass: person ... cn: blah
A quick check shows ldapadd will reject that with an error like this:
adding new entry "cn=blah,dc=domain" ldapadd: update failed: cn=blah,dc=domain ldap_add: Bad parameter to an ldap routine (-9)
It's likely that the original poster's problem is that the blank line between the entries isn't really blank but rather contains spaces. The grammar only permits line-feeds and carriage-return line-feed pairs between entries and not actual space characters. Putting a space there makes it look like a continuation of the previous line, and the next "dn:"
line is just an attribute for the entry in progress.
So, use whatever tool you prefer ("cat -vet" is my preference) to verify that the blank lines are really blank and that there aren't other hidden characters in the input file.
Philip Guenther
Low Sensitivity/Aerospace Internal Use Only
On Thu, 2 Jan 2014, Warron S French wrote:
Philip, are you saying that if you are using VI in editor mode and turn on set list to make sure that a $ is in the first column as opposed to " $" in the first two columns?
That sounds like a reasonable way to check for trailing whitespace and other special characters, yes.
Philip
On Thu, Jan 02, 2014 at 11:45:16AM -0800, Philip Guenther wrote:
On Thu, 2 Jan 2014, Warron S French wrote:
Philip, are you saying that if you are using VI in editor mode and turn on set list to make sure that a $ is in the first column as opposed to " $" in the first two columns?
That sounds like a reasonable way to check for trailing whitespace and other special characters, yes.
I go low-tech in circumstances like this, and use 'od' or 'hexdump'.
Unrelated to OP's problem, I've seen LDIF files that had UTF8 characters and/or weird EOL characters, that many editors will helpfully hide from you.
Philip
On Thu, 2 Jan 2014, Brian Reichert wrote:
Unrelated to OP's problem, I've seen LDIF files that had UTF8 characters and/or weird EOL characters, that many editors will helpfully hide from you.
UTF-8 characters are perfectly legal in values, as documented in both the RFC and the ldif(5) manpage.
DOS-style line-endings (CRLF instead of just LF) are also perfectly legal (though the ldif(5) manpage doesn't mention that). You can even mix CRLF and LF line-endings inside a single file.
(Really folks, the RFC isn't that hard to read.)
Philip Guenther
On Thu, Jan 02, 2014 at 01:01:22PM -0800, Philip Guenther wrote:
On Thu, 2 Jan 2014, Brian Reichert wrote:
Unrelated to OP's problem, I've seen LDIF files that had UTF8 characters and/or weird EOL characters, that many editors will helpfully hide from you.
UTF-8 characters are perfectly legal in values, as documented in both the RFC and the ldif(5) manpage.
I misspoke; the issue I ran into was a leading BOM, not the character encoding. That caused grief with some tools.
DOS-style line-endings (CRLF instead of just LF) are also perfectly legal (though the ldif(5) manpage doesn't mention that). You can even mix CRLF and LF line-endings inside a single file.
I have a many-years-old memory of slapadd being sensitive to line endings. I can't quickly prove that, however.
(Really folks, the RFC isn't that hard to read.)
All true; but my original point stands; editors can hide details that 'od' and the like can reveal.
Philip Guenther
Am Thu, 2 Jan 2014 17:35:33 +0000 schrieb David Barr David.Barr2@mclaneat.com:
I have one file that I need to use to import about 50 people, it doesn't like the fact that I have more than one user in the file for some reason. I might have another 200 in the future and need to figure out why it isn't working... Help please.
Is my syntax wrong? Did I place something in the wrong order or something more than once that isn't needed.
I have included two users, all are the same except the actual username.
Help please.
# USER ENTRY dn: cn=New.user01,ou=People,dc=test,dc=com uid: NEW.user01 givenName: NEW.user01 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson userPassword: NEW.user01 sn: NEW.user01 ou: People cn: NEW.user01 objectClass: uidObject objectClass: pwdPolicy pwdAttribute: userPassword objectClass: pwdPolicyChecker pwdMinAge: 86400 pwdMaxAge: 7776002 pwdInHistory: 10 pwdCheckQuality: 2 pwdMinLength: 14 pwdExpireWarning: 432000 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 120 pwdAllowUserChange: TRUE pwdCheckModule: Standard Policy pwdLockout: FALSE
dn: cn=NEW.user02,ou=People,dc=test,dc=com uid: NEW.user02 givenName: NEW.user02 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson userPassword: NEW.user02 sn: NEW.user02 ou: People cn: NEW.user02 objectClass: uidObject objectClass: pwdPolicy pwdAttribute: userPassword objectClass: pwdPolicyChecker pwdMinAge: 86400 pwdMaxAge: 7776002 pwdInHistory: 10 pwdCheckQuality: 2 pwdMinLength: 14 pwdExpireWarning: 432000 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 120 pwdAllowUserChange: TRUE pwdCheckModule: Standard Policy pwdLockout: FALSE
ldapadd -v -d 1 -D "cn=Admin,dc=test,dc=com" -w test -f /tmp/T/.ldif
adding new entry cn=New.user01,ou=People,dc=test,dc=com ldap_add: Type or value exists ldap_add: additional info: objectClass: value #1021 provided more than once
You should not include password policy attributes in a user entry. The proper way is to create policy entries and point a user entry to this policy entry by adding a pwPolicySubentry attribute, see man slapo-ppolicy(5).
-Dieter
openldap-technical@openldap.org
-
Brian Reichert -
David Barr -
Dieter Klünter -
Michael Proto -
Philip Guenther -
Warron S French