Hi list,
I need some urgent advices on the openldap-scheme extension.
My openldap version is slapd 2.4.23 on a debian squezze machine.
When I try to activate vacation on the webmail-system roundcube (the webmailer and the plugins are working fine) it says the the activation is stored, but when I have a look into the logs of round cube, they say:
[16-Dec-2011 11:20:29] Could not add new values to attribute vacationActive: Object class violation: LDAP_OBJECT_CLASS_VIOLATION (65):
[16-Dec-2011 11:20:29] Could not modify entry: Could not add new values to attribute vacationActive: Object class violation: LDAP_OBJECT_CLASS_VIOLATION: (1000):
The slapd-logs shows the following when I try to activate vacation:
conn=1221 op=4 MOD dn="cn=admin,dc=domain,dc=de"
slapd[14608]: conn=1221 op=4 MOD attr=vacationActive
serv slapd[14608]: slap_queue_csn: queing 0xb58969b6 20111216110200.012914Z#000000#000#000000
serv slapd[14608]: Entry (cn=ldapadmin,dc=folkwang-hochschule,dc=de), attribute 'vacationActive' not allowed
serv slapd[14608]: entry failed schema check: attribute 'vacationActive' not allowed
serv slapd[14608]: conn=1221 op=4 RESULT tag=103 err=65 text=attribute 'vacationActive' not allowed
The following is my vacation.schema which I add to /etc/ldap/slapd.conf:
attributetype ( 1.3.6.1.4.1.39116.1.1.11
NAME 'vacationActive'
SINGLE-VALUE
EQUALITY booleanMatch
DESC 'A flag, for marking the user as being away'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( 1.3.6.1.4.1.39116.1.1.12
NAME 'vacationInfo'
SINGLE-VALUE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
DESC 'Absentee note to leave behind, while on vacation'
EQUALITY octetStringMatch )
attributetype ( 1.3.6.1.4.1.39116.1.1.13
NAME 'vacationStart'
SINGLE-VALUE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
DESC 'Beginning of vacation'
EQUALITY octetStringMatch )
attributetype ( 1.3.6.1.4.1.39116.1.1.14
NAME 'vacationEnd'
SINGLE-VALUE
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
DESC 'End of vacation'
EQUALITY octetStringMatch )
attributetype (1.3.6.1.4.1.39116.1.1.15
NAME 'vacationForward'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
DESC 'Where to forward mails to, while on vacation' )
#
# Objects start here
#
objectclass ( 1.3.6.1.4.1.39116.1.2.10 NAME 'vacation'
SUP top AUXILIARY
DESC 'Users vacation status information'
MUST vacationActive
MAY ( vacationInfo $ vacationStart $ vacationEnd $ vacationForward ) )
I imported a user with the object class vacation and the attributes vacationActive, vacationInfo . into my ldap database.
There the import looks fine.
The user has got the privileges to modify the vacation attributes.
But when I try to modify the entries via vacation-plugin on roundcube, the above errors occur.
Can anybody give me some advices, please?
Thanks
Andreas
--On Friday, December 16, 2011 2:28 PM +0100 Andreas Cieslak andreas@kado-web.de wrote:
Hi list,
I need some urgent advices on the openldap-scheme extension.
My openldap version is slapd 2.4.23 on a debian squezze machine.
When I try to activate vacation on the webmail-system roundcube (the webmailer and the plugins are working fine) it says the the activation is stored, but when I have a look into the logs of round cube, they say:
[16-Dec-2011 11:20:29] Could not add new values to attribute vacationActive: Object class violation: LDAP_OBJECT_CLASS_VIOLATION (65):
[16-Dec-2011 11:20:29] Could not modify entry: Could not add new values to attribute vacationActive: Object class violation: LDAP_OBJECT_CLASS_VIOLATION: (1000):
The slapd-logs shows the following when I try to activate vacation:
conn=1221 op=4 MOD dn="cn=admin,dc=domain,dc=de"
slapd[14608]: conn=1221 op=4 MOD attr=vacationActive
serv slapd[14608]: slap_queue_csn: queing 0xb58969b6 20111216110200.012914Z#000000#000#000000
serv slapd[14608]: Entry (cn=ldapadmin,dc=folkwang-hochschule,dc=de), attribute 'vacationActive' not allowed
serv slapd[14608]: entry failed schema check: attribute 'vacationActive' not allowed
serv slapd[14608]: conn=1221 op=4 RESULT tag=103 err=65 text=attribute 'vacationActive' not allowed
The following is my vacation.schema which I add to /etc/ldap/slapd.conf:
attributetype ( 1.3.6.1.4.1.39116.1.1.11
NAME 'vacationActive' SINGLE-VALUE EQUALITY booleanMatch DESC 'A flag, for marking the user as being away' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )attributetype ( 1.3.6.1.4.1.39116.1.1.12
NAME 'vacationInfo' SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Absentee note to leave behind, while on vacation' EQUALITY octetStringMatch )attributetype ( 1.3.6.1.4.1.39116.1.1.13
NAME 'vacationStart' SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Beginning of vacation' EQUALITY octetStringMatch )attributetype ( 1.3.6.1.4.1.39116.1.1.14
NAME 'vacationEnd' SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 DESC 'End of vacation' EQUALITY octetStringMatch )attributetype (1.3.6.1.4.1.39116.1.1.15
NAME 'vacationForward' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} DESC 'Where to forward mails to, while on vacation' )#
# Objects start here
#
objectclass ( 1.3.6.1.4.1.39116.1.2.10 NAME 'vacation'
SUP top AUXILIARY DESC 'Users vacation status information' MUST vacationActive MAY ( vacationInfo $ vacationStart $ vacationEnd $vacationForward ) )
I imported a user with the object class vacation and the attributes vacationActive, vacationInfo … into my ldap database.
There the import looks fine.
The user has got the privileges to modify the vacation attributes.
But when I try to modify the entries via vacation-plugin on roundcube, the above errors occur.
Can anybody give me some advices, please?
You need to add the vacation objectClass to your entries first, apparently. If you look at the logged operation, the utility you are using does not try to *add* anything. Just *MOD* what it feels should be an existing attribute. Obviously if the tool was well written, it would check to see if the entry actually had the vacation objectClass first, and then add it if it was missing, along with the required attributes.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Thanks Quanah,
can you tell me how to import the objectClass to my entries ?
Regards Andreas
-----Ursprüngliche Nachricht----- Von: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] Im Auftrag von Quanah Gibson-Mount Gesendet: Freitag, 16. Dezember 2011 20:42 An: Andreas Cieslak; openldap-technical@openldap.org Betreff: Re: Trying to add vacation.schema - object class violation error
--On Friday, December 16, 2011 2:28 PM +0100 Andreas Cieslak andreas@kado-web.de wrote:
Hi list,
I need some urgent advices on the openldap-scheme extension.
My openldap version is slapd 2.4.23 on a debian squezze machine.
When I try to activate vacation on the webmail-system roundcube (the webmailer and the plugins are working fine) it says the the activation is stored, but when I have a look into the logs of round cube, they say:
[16-Dec-2011 11:20:29] Could not add new values to attribute vacationActive: Object class violation: LDAP_OBJECT_CLASS_VIOLATION (65):
[16-Dec-2011 11:20:29] Could not modify entry: Could not add new values to attribute vacationActive: Object class violation: LDAP_OBJECT_CLASS_VIOLATION: (1000):
The slapd-logs shows the following when I try to activate vacation:
conn=1221 op=4 MOD dn="cn=admin,dc=domain,dc=de"
slapd[14608]: conn=1221 op=4 MOD attr=vacationActive
serv slapd[14608]: slap_queue_csn: queing 0xb58969b6 20111216110200.012914Z#000000#000#000000
serv slapd[14608]: Entry (cn=ldapadmin,dc=folkwang-hochschule,dc=de), attribute 'vacationActive' not allowed
serv slapd[14608]: entry failed schema check: attribute 'vacationActive' not allowed
serv slapd[14608]: conn=1221 op=4 RESULT tag=103 err=65 text=attribute 'vacationActive' not allowed
The following is my vacation.schema which I add to /etc/ldap/slapd.conf:
attributetype ( 1.3.6.1.4.1.39116.1.1.11
NAME 'vacationActive' SINGLE-VALUE EQUALITY booleanMatch DESC 'A flag, for marking the user as being away' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )attributetype ( 1.3.6.1.4.1.39116.1.1.12
NAME 'vacationInfo' SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Absentee note to leave behind, while on vacation' EQUALITY octetStringMatch )attributetype ( 1.3.6.1.4.1.39116.1.1.13
NAME 'vacationStart' SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Beginning of vacation' EQUALITY octetStringMatch )attributetype ( 1.3.6.1.4.1.39116.1.1.14
NAME 'vacationEnd' SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 DESC 'End of vacation' EQUALITY octetStringMatch )attributetype (1.3.6.1.4.1.39116.1.1.15
NAME 'vacationForward' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} DESC 'Where to forward mails to, while on vacation' )#
# Objects start here
#
objectclass ( 1.3.6.1.4.1.39116.1.2.10 NAME 'vacation'
SUP top AUXILIARY DESC 'Users vacation status information' MUST vacationActive MAY ( vacationInfo $ vacationStart $ vacationEnd $vacationForward ) )
I imported a user with the object class vacation and the attributes vacationActive, vacationInfo into my ldap database.
There the import looks fine.
The user has got the privileges to modify the vacation attributes.
But when I try to modify the entries via vacation-plugin on roundcube, the above errors occur.
Can anybody give me some advices, please?
You need to add the vacation objectClass to your entries first, apparently. If you look at the logged operation, the utility you are using does not try to *add* anything. Just *MOD* what it feels should be an existing attribute. Obviously if the tool was well written, it would check to see if the entry actually had the vacation objectClass first, and then add it if it was missing, along with the required attributes.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Now i followed some pages to extend the schema with ldif-files. Like this https://help.ubuntu.com/11.04/serverguide/C/kerberos-ldap.html Or this http://www.howtoforge.com/postfix-virtual-hosting-with-ldap-backend-and-with -dovecot-pop3-imap-on-ubuntu-8.10
But when I try to ldapadd -x -D cn=admin,cn=config -W -f cn={6}vacation.ldif the following appears: Enter LDAP Password: ldap_bind: Invalid credentials (49)
Then i found somewhere that i have to add "admin" to make changes on the schema. I did it also, like its described on this site http://ubuntuforums.org/showthread.php?t=1515119
But when i try to modify the schema like this ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif it also dont works
config.ldif: dn: cn=config changetype: modify
dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootDN olcRootDN: cn=admin,cn=config
dn: olcDatabase={0}config,cn=config changetype: modify add: olcRootPW olcRootPW: {SSHA}Secret
dn: olcDatabase={0}config,cn=config changetype: modify delete: olcAccess
At last i made the changes described above manually in the /etc/ldap/cn=config/olcDatabase={0}config.ldif
dn: olcDatabase={0}config objectClass: olcDatabaseConfig olcDatabase: {0}config olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=admin,cn=config olcRootPW: {SSHA}Secret olcSyncUseSubentry: FALSE olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig entryUUID: 46b43100-b692-1030-89be-cbe1073d381b creatorsName: cn=config createTimestamp: 20111209091652Z entryCSN: 20111209091652.472369Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20111209091652Z
Then it is also not working with ldapadd -x -D cn=admin,cn=config -W -f cn={6}vacation.ldif
Error: invalid credentials. Now iam stuck with modifying the schema. How can add this admin who can change the schema? Any hints?
i have another admin on a olcDatabase={1}bdb.ldif-database who is configured as rootDN for dc=company,dc=org. But when i try to add with this company-admin ldapadd -x -D cn=admin,dc=company,dc=org -W -f cn={6}vacation.ldif ends up with "unsufficient access"
Any idea?
-----Ursprüngliche Nachricht----- Von: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] Im Auftrag von Andreas Gesendet: Samstag, 17. Dezember 2011 15:40 An: 'Quanah Gibson-Mount'; openldap-technical@openldap.org Betreff: AW: Trying to add vacation.schema - object class violation error
Thanks Quanah,
can you tell me how to import the objectClass to my entries ?
Regards Andreas
-----Ursprüngliche Nachricht----- Von: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] Im Auftrag von Quanah Gibson-Mount Gesendet: Freitag, 16. Dezember 2011 20:42 An: Andreas Cieslak; openldap-technical@openldap.org Betreff: Re: Trying to add vacation.schema - object class violation error
--On Friday, December 16, 2011 2:28 PM +0100 Andreas Cieslak andreas@kado-web.de wrote:
Hi list,
I need some urgent advices on the openldap-scheme extension.
My openldap version is slapd 2.4.23 on a debian squezze machine.
When I try to activate vacation on the webmail-system roundcube (the webmailer and the plugins are working fine) it says the the activation is stored, but when I have a look into the logs of round cube, they say:
[16-Dec-2011 11:20:29] Could not add new values to attribute vacationActive: Object class violation: LDAP_OBJECT_CLASS_VIOLATION (65):
[16-Dec-2011 11:20:29] Could not modify entry: Could not add new values to attribute vacationActive: Object class violation: LDAP_OBJECT_CLASS_VIOLATION: (1000):
The slapd-logs shows the following when I try to activate vacation:
conn=1221 op=4 MOD dn="cn=admin,dc=domain,dc=de"
slapd[14608]: conn=1221 op=4 MOD attr=vacationActive
serv slapd[14608]: slap_queue_csn: queing 0xb58969b6 20111216110200.012914Z#000000#000#000000
serv slapd[14608]: Entry (cn=ldapadmin,dc=folkwang-hochschule,dc=de), attribute 'vacationActive' not allowed
serv slapd[14608]: entry failed schema check: attribute 'vacationActive' not allowed
serv slapd[14608]: conn=1221 op=4 RESULT tag=103 err=65 text=attribute 'vacationActive' not allowed
The following is my vacation.schema which I add to /etc/ldap/slapd.conf:
attributetype ( 1.3.6.1.4.1.39116.1.1.11
NAME 'vacationActive' SINGLE-VALUE EQUALITY booleanMatch DESC 'A flag, for marking the user as being away' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )attributetype ( 1.3.6.1.4.1.39116.1.1.12
NAME 'vacationInfo' SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Absentee note to leave behind, while on vacation' EQUALITY octetStringMatch )attributetype ( 1.3.6.1.4.1.39116.1.1.13
NAME 'vacationStart' SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Beginning of vacation' EQUALITY octetStringMatch )attributetype ( 1.3.6.1.4.1.39116.1.1.14
NAME 'vacationEnd' SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 DESC 'End of vacation' EQUALITY octetStringMatch )attributetype (1.3.6.1.4.1.39116.1.1.15
NAME 'vacationForward' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} DESC 'Where to forward mails to, while on vacation' )#
# Objects start here
#
objectclass ( 1.3.6.1.4.1.39116.1.2.10 NAME 'vacation'
SUP top AUXILIARY DESC 'Users vacation status information' MUST vacationActive MAY ( vacationInfo $ vacationStart $ vacationEnd $vacationForward ) )
I imported a user with the object class vacation and the attributes vacationActive, vacationInfo into my ldap database.
There the import looks fine.
The user has got the privileges to modify the vacation attributes.
But when I try to modify the entries via vacation-plugin on roundcube, the above errors occur.
Can anybody give me some advices, please?
You need to add the vacation objectClass to your entries first, apparently. If you look at the logged operation, the utility you are using does not try to *add* anything. Just *MOD* what it feels should be an existing attribute. Obviously if the tool was well written, it would check to see if the entry actually had the vacation objectClass first, and then add it if it was missing, along with the required attributes.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Monday, December 19, 2011 12:39 PM +0100 Andreas Cieslak andreas@kado-web.de wrote:
Now i followed some pages to extend the schema with ldif-files. Like this https://help.ubuntu.com/11.04/serverguide/C/kerberos-ldap.html Or this http://www.howtoforge.com/postfix-virtual-hosting-with-ldap-backend-and-w ith -dovecot-pop3-imap-on-ubuntu-8.10
Blindly following wiki's and other how NOT to's where you clearly don't comprehend what they are saying is definitely going to get you nowhere. You already noted you are using slapd.conf, while the things you are trying to do require you to be using cn=config instead.
You already stated that you have this objectClass and attribute added to one user on your system. That would imply that the schema already exists for the system you are using. Therefore all you need to do is add the objectClass and a dummy value for the attribute to all of your users.
Regards, Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Andreas -
Andreas Cieslak
-
Quanah Gibson-Mount