Hello,
I tried to create a new objectclass and a new attribute to develop scripts to use against an ActiveDirectory.
objectlass=user
attribute=sAMAccountName
I have a new test.schema:
attributetype ( 1.2.840.113556.1.4.221
NAME 'sAMAccountName'
EQUALITY caseIgnoreMatch
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE )
objectclass ( 1.2.840.113556.1.5.9
NAME 'user'
DESC 'a user'
SUP inetOrgPerson STRUCTURAL
MUST ( cn )
MAY ( sAMAccountName ) )
This is included in slapd.conf:
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/nis.schema
include ./schema/inetorgperson.schema
include ./schema/openldap.schema
include ./schema/pmi.schema
include ./schema/ppolicy.schema
include ./schema/dyngroup.schema
include ./schema/test.schema
I tried to modify a dummy user after restart ldap.
modify.ldif:
dn: cn=test test,ou=Benutzer,ou=Netzwerk,dc=network,dc=de
changetype: modify
add: sAMAccountName
sAMAccountName: test
I used the ldapmodify tool:
ldapmodify -a -x -D "cn=admin,dc=network,dc=de" -w passwd -H ldap:// -f d:\modify.ldif
Eintrag cn=test test,ou=Benutzer,ou=Netzwerk,dc=network,dc=de wird geändert
ldap_modify: Objektklassenverletzung
ldap_modify: Zusätzliche Info: attribute 'sAMAccountName' not allowed
Can someone explain to me where is the mistake?
Regards,
Alex
On 03/13/18 12:40 +0100, Alexander Schwarz wrote:
I tried to create a new objectclass and a new attribute to develop scripts to use against an ActiveDirectory.
objectlass=user attribute=sAMAccountName
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' EQUALITY caseIgnoreMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
objectclass ( 1.2.840.113556.1.5.9 NAME 'user' DESC 'a user' SUP inetOrgPerson STRUCTURAL MUST ( cn ) MAY ( sAMAccountName ) )
This is included in slapd.conf: include ./schema/test.schema
modify.ldif: dn: cn=test test,ou=Benutzer,ou=Netzwerk,dc=network,dc=de changetype: modify add: sAMAccountName sAMAccountName: test
I used the ldapmodify tool: ldapmodify -a -x -D "cn=admin,dc=network,dc=de" -w passwd -H ldap:// -f d:\modify.ldif
Eintrag cn=test test,ou=Benutzer,ou=Netzwerk,dc=network,dc=de wird geändert ldap_modify: Objektklassenverletzung ldap_modify: Zusätzliche Info: attribute 'sAMAccountName' not allowed
Have you added the 'user' object class to the 'cn=test test' entry?
On 2018-03-13 12:40, Alexander Schwarz wrote:
I tried to create a new objectclass and a new attribute to develop scripts to use against an ActiveDirectory.
You should rather use Samba 4 in AD DC mode to build up such a AD-compatible development environment.
objectlass=user
attribute=sAMAccountName [..] I used the ldapmodify tool: [..] ldap_modify: Zusätzliche Info: attribute 'sAMAccountName' not allowed
This means that none of the entry's object classes allow to use this attribute. You have to add object class 'user'.
But again, see my note above and follow this advice. Otherwise you will ask a lot of how-to-tweak-OpenLDAP-to-behave-like-AD questions here and basically you would have to reinvent Samba4.
Ciao, Michael.
openldap-technical@openldap.org
-
Alexander Schwarz -
Dan White -
Michael Ströder