So with you help, I managed to fix my initial issues of adding some additional schemas to my system. Now, when I try to add the directory data from my old LDAP servers with slapcat, I'm getting the following structural error:
(line=168): (65) invalid structural object class chain (account/krbPrincipal)
The relevant portions for the offending dn look like this:
objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: krbPrincipal structuralObjectClass: account
I should point out that I recently inherited this LDAP directory, and now I'm upgrading the LDAP servers to new hardware and a new OS with a much new version of OpenLDAP. I've never seen the stucturalObjectClass attribute before. From my experience, when you get errors like this, it's because either the schemas have changed, or someone used the -c switch when adding new entries to the directory. Usually it's the latter.
I have googled my error and found many discussions for 'invalid structural object chain' on this list, but none of them seem to apply to this case. Most problem seemed be caused by having multiple conflicting STRUCTURAL object classes in one entry, but that doesn't seem to be the case since krbPrincipal is not STRUCTURAL. It's also not AUXILIARY:
objectclass ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP top MUST ( krbPrincipalName ) MAY ( krbObjectReferences ) )
account is STRUCTURAL:
objectclass ( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRUCTURAL MUST userid MAY ( description $ seeAlso $ localityName $ organizationName $ organizationalUnitName $ host ) )
but posixAccount and shadowAccount are AUXILIARY :
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) )
objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Additional attributes for shadow passwords' SUP top AUXILIARY MUST uid MAY ( userPassword $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag $ description ) )
Any ideas for how to fix this? Could I just remove the account objectClass? I'm not sure whether or not we're using any of it's attributes.
Prentice Bisbal wrote:
objectClass: account objectClass: krbPrincipal structuralObjectClass: account
I have googled my error and found many discussions for 'invalid structural object chain' on this list, but none of them seem to apply to this case.
That's what AUXILIARY object class 'krbPrincipalAux' is for.
If it's not present in your current schema you should grab a more recent version of the MIT Kerberos LDAP schema.
Ciao, Michael.
On 05/13/2017 07:00 AM, Michael Ströder wrote:
Prentice Bisbal wrote:
objectClass: account objectClass: krbPrincipal structuralObjectClass: account
I have googled my error and found many discussions for 'invalid structural object chain' on this list, but none of them seem to apply to this case.
That's what AUXILIARY object class 'krbPrincipalAux' is for.
If it's not present in your current schema you should grab a more recent version of the MIT Kerberos LDAP schema.
Michael,
Thanks. That's exactly the answer I was looking for. I do have krbPrincipalAux in my kerberos schema, but raises another questions about which schema(s) to use, which I'll raise here as a separate post, since that's a new topic of discussion, and goes beyond just this one specific schema issue.
Prentice
Prentice Bisbal wrote:
On 05/13/2017 07:00 AM, Michael Ströder wrote:
Prentice Bisbal wrote:
objectClass: account objectClass: krbPrincipal structuralObjectClass: account
I have googled my error and found many discussions for 'invalid structural object chain' on this list, but none of them seem to apply to this case.
That's what AUXILIARY object class 'krbPrincipalAux' is for.
If it's not present in your current schema you should grab a more recent version of the MIT Kerberos LDAP schema.
Thanks. That's exactly the answer I was looking for. I do have krbPrincipalAux in my kerberos schema, but raises another questions about which schema(s) to use, which I'll raise here as a separate post, since that's a new topic of discussion, and goes beyond just this one specific schema issue.
You should use the current schema file shipped with your particular Kerberos installation.
You can combine 'krbPrincipalAux' with 'account' or 'inetOrgPerson' or whatever you're using as object class for user accounts. I'm pretty sure you will easily find documentations / presentations about schema design in general. It's a pretty broad topic though. YMMV.
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
Prentice Bisbal