--On January 13, 2011 11:42:29 AM +0600 Konstantin Boyandin <temmokan(a)gmail.com&gt; wrote: > Hello, > > OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit. > > In order to enable ppolicy overlay, I am trying to create the relevant > entries, as specified in > > http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies I would suggest you compare the version you are running (2.3) with the version that the document you are reading uses (2.4). There is an obvious difference there, and it is a major one. I suggest you run a current supported release of OpenLDAP that matches the documentation you are using.

That appears to be the point. See: http://www.openldap.org/software/man.cgi?query=ppolicy&apropos=0&... ... No results. Also look for the ppolicy in: http://www.openldap.org/doc/admin23/schema.html#Distributed%20Schema%20Files ... It's not there. Where did you get the schema and the libraries necessary?

FWIW: the password policy and MUCH more reliable syncing between servers is why we upgraded in my shop (turned off the old 2.3 master last week after finally overcoming last hurdles: solaris and use by other custom systems.)

- chris Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs(a)apollogrp.edu ----- Original Message ----- From: openldap-technical-bounces(a)OpenLDAP.org <openldap-technical-bounces(a)OpenLDAP.org&gt; To: Quanah Gibson-Mount <quanah(a)zimbra.com&gt; Cc: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org&gt; Sent: Wed Jan 12 23:38:54 2011 Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX 13.01.2011 11:55, Quanah Gibson-Mount пишет: > > > --On January 13, 2011 11:42:29 AM +0600 Konstantin Boyandin > <temmokan(a)gmail.com&gt; wrote: > >> Hello, >> >> OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit. >> >> In order to enable ppolicy overlay, I am trying to create the relevant >> entries, as specified in >> >> http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies > > I would suggest you compare the version you are running (2.3) with the > version that the document you are reading uses (2.4). There is an > obvious difference there, and it is a major one. I suggest you run a > current supported release of OpenLDAP that matches the documentation you > are using. Thanks. I opened the 2.3 admin link instead: http://www.openldap.org/doc/admin23/ and it has no overlays section at all. That's weird, since I am using replication feature and there's a directive overlay syncprov in /etc/openldap/slapd.conf How can I find the reasons for 'Invalid syntax' error in such a situation? Thanks. This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

Perhaps try man slapo_ppolicy

- it should hopefully provide the limits and acceptable values and compare with your ldif to find the cause of "Error description: An invalid attribute value was specified." Alternative: reduce the number of attributes (divide and conquer) to find the culprit. Perhaps also checking the schema file for the limits or acceptable values.

> Or check the archives, e.g. > <http://www.openldap.org/lists/openldap-software/200802/msg00337.html>;: > for some time, in OpenLDAP 2.3, the pwdAttribute could only contain OIDs. Thank you very much! After I changed the string to pwdAttribute: 2.5.4.35 the import was a success. This problem's solved. So reading Web *can* be of more use than reading man pages only.

Chris Jacobs wrote: > Perhaps try man slapo_ppolicy The man page name is slapo-ppolicy(5). > - it should hopefully provide the limits and acceptable values and compare with your ldif to find the cause of "Error description: An invalid attribute value was specified." > > Alternative: reduce the number of attributes (divide and conquer) to find the culprit. > > Perhaps also checking the schema file for the limits or acceptable values. Or check the archives, e.g. <http://www.openldap.org/lists/openldap-software/200802/msg00337.html>;: for some time, in OpenLDAP 2.3, the pwdAttribute could only contain OIDs.

Hello, OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit. In order to enable ppolicy overlay, I am trying to create the relevant entries, as specified in http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies I import two LDIFs, first: dn: ou=Policies,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Policies and second dn: cn=default,ou=Policies,dc=example,dc=com cn: default objectClass: top objectClass: pwdPolicy objectClass: person pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 2 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value The first loads OK. When I try to import the second, I receive this diagnostics: Could not add object cn=default,ou=Policies,dc=itelsib,dc=com Message: Invalid syntax Error code: 0x15 (LDAP_INVALID_SYNTAX) Error description: An invalid attribute value was specified. Could someone suggest what's wrong with the attribute name?

13.01.2011 13:39, Howard Chu writes: > Konstantin Boyandin wrote: >> Hello, >> >> OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit. >> >> In order to enable ppolicy overlay, I am trying to create the relevant >> entries, as specified in >> >> http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies >> >> I import two LDIFs, first: >> >> dn: ou=Policies,dc=example,dc=com >> objectClass: organizationalUnit >> objectClass: top >> ou: Policies >> >> and second >> >> dn: cn=default,ou=Policies,dc=example,dc=com >> cn: default >> objectClass: top >> objectClass: pwdPolicy >> objectClass: person >> pwdAllowUserChange: TRUE >> pwdAttribute: userPassword >> pwdCheckQuality: 2 >> pwdExpireWarning: 600 >> pwdFailureCountInterval: 30 >> pwdGraceAuthNLimit: 2 >> pwdInHistory: 5 >> pwdLockout: TRUE >> pwdLockoutDuration: 0 >> pwdMaxAge: 7776000 >> pwdMaxFailure: 5 >> pwdMinAge: 0 >> pwdMinLength: 5 >> pwdMustChange: FALSE >> pwdSafeModify: FALSE >> sn: dummy value >> >> The first loads OK. >> When I try to import the second, I receive this diagnostics: >> >> Could not add object cn=default,ou=Policies,dc=itelsib,dc=com >> Message: Invalid syntax >> Error code: 0x15 (LDAP_INVALID_SYNTAX) >> Error description: An invalid attribute value was specified. >> >> Could someone suggest what's wrong with the attribute name? > > OpenLDAP never produces the text you provided above. It seems you're > using some other LDAP tool to do this import, and it is not showing you > the actual error message sent from the server. OpenLDAP slapd will > always identify the actual attribute and value that causes an error. I > suggest you try importing this entry with OpenLDAP's ldapadd and examine > the error message from there. I tried importing with slapadd. The output: str2entry: invalid value for attributeType pwdAttribute #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=22) The error above refers to the allowed value of pwdAttribute, which can only be userPassword now. The problem is the value for this attribute in LDIF *is* userPassword, as in the cited sample. I checked the LDIF - no 'invisible' characters around the value.

JFYI, I checked the values for the attributes using man page. This, and other references provided with packages is where I look first prior to asking on the Net.