I am facing this issue while trying to upgrade Forgerock OpenAM from 13.5.2 to 14.6.4. Can anyone help as to what is the cause for this error. Does it require any changes to be done from OpenDJ side?
Thread[http-bio-8080-exec-2,5,main]: TransactionId[cb42ba57-6658-42db-a5c5-d2b8ac630453-30]
ERROR: An error occurred while processing /WEB-INF/template/ldif/sfha/cts-add-multivalue.ldif
org.forgerock.opendj.ldap.ConstraintViolationException: No Such Attribute: Entry cn=schema cannot be modified because the attempt to update attribute objectclasses would have removed one or more values from the attribute that were not present: ( 1.3.6.1.4.1.36733.2.2.2.27 )
I see that the /WEB-INF/template/ldif/sfha/cts-add-multivalue.ldif below content
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 1.3.6.1.4.1.36733.2.2.1.136 NAME ( 'coreTokenMultiString01' ) DESC 'General mapped multi value string field' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'ForgeRock OpenAM CTSv2' )
attributeTypes: ( 1.3.6.1.4.1.36733.2.2.1.137 NAME ( 'coreTokenMultiString02' ) DESC 'General mapped multi value string field' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'ForgeRock OpenAM CTSv2' )
attributeTypes: ( 1.3.6.1.4.1.36733.2.2.1.138 NAME ( 'coreTokenMultiString03' ) DESC 'General mapped multi value string field' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'ForgeRock OpenAM CTSv2' )
It would help if anyone can explain the error so that I can debug more on this.
Related
I created custom olcAttributeTypes and olcObjectClasses via ldapmodify ldif
changetype: modify
add: olcAttributeTypes
olcAttributeTypes: ( 1.7.11.3.1
NAME 'freshid3'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.7.11.3.2
NAME 'rocketid3'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
-
add: olcObjectClasses
olcObjectClasses: ( 1.7.11.3.3
NAME 'astrofInfo1'
DESC 'astrofInfo1'
SUP top
AUXILIARY
MAY (freshid $ rocketid))
Those classes are working but i want to remove all and start from stratch. If i look in slad.d dir i see /slapd.d/cn=config/cn=schema.ldif with content
# CRC32 c427b1a1
dn: cn=schema
objectClass: olcSchemaConfig
cn: schema
structuralObjectClass: olcSchemaConfig
entryUUID: 445fd29a-ebfd-1037-85e2-25e1d38603b9
creatorsName: cn=admin,cn=config
createTimestamp: 20180514200100Z
olcAttributeTypes: {0}( 1.7.11.1.1 NAME 'freshid' EQUALITY caseIgn
oreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466
.115.121.1.15 )
olcAttributeTypes: {1}( 1.7.11.1.2 NAME 'rocketid' EQUALITY caseIg
noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.146
6.115.121.1.15{1024} )
olcAttributeTypes: {2}( 1.7.11.3.1 NAME 'freshid3' EQUALITY caseIg
noreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.146
6.115.121.1.15 )
olcAttributeTypes: {3}( 1.7.11.3.2 NAME 'rocketid3' EQUALITY caseI
gnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.14
66.115.121.1.15{1024} )
olcObjectClasses: {0}( 1.7.11.1.3 NAME 'astrofData' DESC 'astrofData' SUP
inetOrgPerson STRUCTURAL MAY (freshid $ rocketid))
olcObjectClasses: {1}( 1.7.11.3.3 NAME 'astrofInfo1' DESC 'astrofInfo1' S
UP top AUXILIARY MAY (freshid $ rocketid))
entryCSN: 20220223203521.059097Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20220223203521Z
What i tried to remove
Create and execute ldif with content like first one but change add to delete
changetype: modify
delete: olcAttributeTypes
olcAttributeTypes: ( 1.7.11.3.1
NAME 'freshid3'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: ( 1.7.11.3.2
NAME 'rocketid3'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
-
delete: olcObjectClasses
olcObjectClasses: ( 1.7.11.3.3
NAME 'astrofInfo1'
DESC 'astrofInfo1'
SUP top
AUXILIARY
MAY (freshid $ rocketid))
And got error like this
ldap_modify: Operations error (1)
Tried ldif like this
changetype: modify
delete: olcAttributeTypes
olcAttributeTypes: (1.7.11.3.1)
olcAttributeTypes: (1.7.11.3.2)
-
delete: olcObjectClasses
olcObjectClasses: (1.7.11.3.3)
And got this message.
ldap_modify: No such attribute (16)
additional info: modify/delete: olcAttributeTypes: no such value
I don't unerstand why i can create but it can't delete :(
Will be supper appriciate for any help
If you want to remove the olcAttributeTypes: {0}( 1.7.11.1.1 ... attribute then you have to consider the following LDIF content (in your case the dn part may be optional):
dn: ...
changetype: modify
delete: olcAttributeTypes
olcAttributeTypes: {0}
Note the olcAttributeTypes: {0} part.
At LDAP logs level you should see some complaints about some missing parts but I guess you can ignore them as they look informal ones.
I am new at LDAP and searched for adding simple objectClass and Attributes but still getting an error,
I would like to have an object 'adminFunc' with a simple string attribute 'functionId' so I copied adminFunc.schema and adminFunc.ldif to the schema folder:
adminFunc.schema:
objectidentifier adminFuncSchema 1.3.6.1.4.1.X.Y
objectidentifier funcAttrs adminFuncSchema:3
objectidentifier funcClass adminFuncSchema:4
attributetype ( funcAttrs:2
NAME 'functionId'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
ORDERING caseIgnoreOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} )
objectclass (
funcClass:1
NAME 'adminFunc'
DESC 'Admin permission'
SUP ( top ) AUXILIARY
MAY functionId )
adminFunc.ldif: ( which has been generated automatically by running slaptest )
dn: cn=adminFunc
objectClass: olcSchemaConfig
cn: adminFunc
olcObjectIdentifier: adminFuncSchema 1.3.6.1.4.1.X.Y
olcObjectIdentifier: funcAttrs adminFuncSchema:3
olcObjectIdentifier: funcClass adminFuncSchema:4
olcAttributeTypes: ( funcAttrs:2 NAME 'functionId' EQUALITY caseIgnoreMat
ch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{255} )
olcObjectClasses: ( funcClass:1 NAME 'adminFunc' DESC 'Admin permission'
SUP top AUXILIARY MAY functionId )
structuralObjectClass: olcSchemaConfig
entryUUID: c43389f4-0bfb-1037-959b-c9dc976d6fc3
creatorsName: cn=config
createTimestamp: 20170802182555Z
entryCSN: 20170802182555.047279Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20170802182555Z
modify.ldif
my dn is ou=Local,ou=SV,dc=example,dc=com
trying to run this command to create a new Call_Center object:
ldapmodify -x -W -D "cn=ldapadmin,dc=example,dc=com" -f modify.ldif
dn: cn=Call_Center,ou=Local,ou=SV,dc=example,dc=com
changetype: add
objectClass: top
objectClass: adminFunc
cn: Call_Center
functionId: 1010
But can't find my adminFunc object:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=Call_Center,ou=Local,ou=SV,dc=example,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #1 invalid per syntax
Not sure what am I missing.
Thanks
These are my steps for creating a new object and attribute in openldap:
Create the schema file, eg. test.schema
# Attribute definition
attributetype ( 1.3.6.1.4.1.42.2.27.4.1.6
NAME 'sampleAttribute'
DESC 'Sample Attribute'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
# Object Class Definition
objectclass ( 1.3.6.1.4.1.42.2.27.4.2.1
NAME 'SampleObject'
DESC 'Sample object'
SUP top
STRUCTURAL
MUST ( cn $ sampleAttribute ) )
Create conf file, eg. test.conf
include /home/test.schema
On the server, run:
#create directory
mkdir testdir
#run slaptest
slaptest -f test.conf -F testdir
The resulting file will be testdir/cn=config/cn=schema/cn={0}test.ldif and will look something like this (after some manual editing):
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 f74b018a
dn: cn=sample,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sample
olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.4.1.6 NAME 'sampleAttribute'
DESC 'Sample Attribute' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.
121.1.15 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.42.2.27.4.2.1 NAME 'SampleObject' DESC 'Sam
ple object' SUP top STRUCTURAL MUST ( cn $ sampleAttribute ) )
structuralObjectClass: olcSchemaConfig
entryUUID: 4a10b3ec-4aca-1036-997a-3fcaae1517d7
creatorsName: cn=config
createTimestamp: 20161129215530Z
entryCSN: 20161129215530.381328Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20161129215530Z
I renamed mine to sample.ldif.
Add ldif to schema
On the server, run:
service slapd stop
slapadd -l sample.ldif -n 0
#to populate the config database slapd-config(5), use -n 0 as it is always the first database.
service slapd start
I have the ldif
dn: uniqueIdentifier=user.acc,ou=people,dc=domaine,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: PostfixBookMailAccount
objectClass: extensibleObject
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user.acc
cn: user acc
givenName: acc
uidNumber: 2000
gidNumber: 5002
loginShell: /bin/bash
homeDirectory: /home/user
mail: user.acc#domaine.com
mailEnabled: TRUE
mailGidNumber: 5000
which i'm trying to use to configure the ldap server with the following command :
ldapadd -W -D "cn=admin,dc=domaine,dc=com" -f userimport.ldif
it gives me the error
ldap_add: Invalid syntax (21)
additional info: objectClass: value #3 invalid per syntax
here is the configuration i used
cd /etc/ldap/schema
wget http://www.postfix-buch.com/download/postfix-book.schema.gze
gunzip postfix-book.schema.gz
cd /etc/ldap/schema
mkdir ldif_output
touch schema_convert.conf
The schema_convert.conf file contains the schema to be converted (and any dependencies):
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/postfix-book.schema
Finally, in the postfix-book.ldif, the following changes need to be made:
dn: cn=postfix-book,cn=schema,cn=config
cn: postfix-book
Remove the metadata starting from structuralObjectClass
Then add it to the directory as follows:
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f postfix-book.ldif
the file postfix-book.ldif contains the schema of PostfixBookMAilAccount:
olcObjectClasses: {0}( 1.3.6.1.4.1.29426.1.2.2.1
NAME 'PostfixBookMailAccount'
DESC 'Mail account used in Postfix Book'
SUP top AUXILIARY
MUST mail
MAY ( mailHomeDirectory $ mailAlias $ mailGroupMember $ mailUidNumber $ mailGidNumber $ mailEnabled $ mailQuota $ mailStorageDirectory ) )
here is the file postfix-book.schema
enter code here
# $Id$
#
# State of Mind
# Private Enterprise Number: 29426
#
# OID prefix: 1.3.6.1.4.1.29426
#
# Attributes: 1.3.6.1.4.1.29426.1.10.x
#
attributetype ( 1.3.6.1.4.1.29426.1.10.1 NAME 'mailHomeDirectory'
DESC 'The absolute path to the mail user home directory'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.29426.1.10.2 NAME 'mailAlias'
DESC 'RFC822 Mailbox - mail alias'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.29426.1.10.3 NAME 'mailUidNumber'
DESC 'UID required to access the mailbox'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.29426.1.10.4 NAME 'mailGidNumber'
DESC 'GID required to access the mailbox'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.29426.1.10.5 NAME 'mailEnabled'
DESC 'TRUE to enable, FALSE to disable account'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.29426.1.10.6 NAME 'mailGroupMember'
DESC 'Name of a mail distribution list'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.29426.1.10.7 NAME 'mailQuota'
DESC 'Mail quota limit in kilobytes'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.29426.1.10.8 NAME 'mailStorageDirectory'
DESC 'The absolute path to the mail users mailbox'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
#
# Objects: 1.3.6.1.4.1.29426.1.2.2.x
#
objectclass ( 1.3.6.1.4.1.29426.1.2.2.1 NAME 'PostfixBookMailAccount'
SUP top AUXILIARY
DESC 'Mail account used in Postfix Book'
MUST ( mail )
MAY ( mailHomeDirectory $ mailAlias $ mailGroupMember
$ mailUidNumber $ mailGidNumber $ mailEnabled
$ mailQuota $mailStorageDirectory ) )
objectclass ( 1.3.6.1.4.1.29426.1.2.2.2 NAME 'PostfixBookMailForward'
SUP top AUXILIARY
DESC 'Mail forward used in Postfix Book'
MUST ( mail $ mailAlias ))
and thank you for your help
I have this schema:
attributetype ( 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1
NAME 'email2'
DESC 'email2'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
objectclass ( 2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2 NAME 'myMember'
DESC 'mymenber'
SUP top STRUCTURAL
MAY ( email2 ) )
And I have this object:
dn: o=myGroup,c=es
o: myGroup
objectClass: top
objectClass: organization
I want to add the objectclass myMember to dn: o=myGroup,c=es. I have created ths ldif:
dn: o=myGroup,c=es
changetype: modify
add: objectclasses
objectclasses: myMember
But when I execute this, get an error:
>> ldapmodify -x -f modify.ldif -D 'cn=root,c=es' -W
Enter LDAP Password:
modifying entry "o=myGroup,c=es"
ldapmodify: Invalid syntax (21)
additional info: objectclasses: value #0 normalization failed
What am I doing wrong?
#EJP is right on the pure syntax point of view. But on the theorical point of view mymenber should be an AUXILIARY (Not STRUCTURAL) class to be added to object of others class.
objectclass ( 2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2 NAME 'myMember'
DESC 'mymenber'
SUP top AUXILIARY
MAY ( email2 ) )
Change 'objectclasses' to 'objectclass' throughout.
I'm having a strange issue on PostgreSQL 9.0.1 on Windows Server 2003 SP2.
I connect as a superuser and then SET SESSION AUTHORIZATION to user
"X" who is a member of group role "extranet_user" which inherits
membership from group role "user". "X", "extranet_user", and even
"user" are all INHERIT.
I have the following view:
CREATE OR REPLACE VIEW page_startup AS
SELECT contact.name, contact.nickname, COALESCE(
CASE
WHEN has_table_privilege('mandate'::text, 'select'::text)
THEN ( SELECT false AS bool
FROM mandate
NATURAL JOIN task
WHERE task.waiting_for = "session_user"()::text::integer AND
task.deadline < now()
LIMIT 1)
ELSE NULL::boolean
END, true) AS no_mandates
FROM contact
WHERE contact.id = "session_user"()::text::integer;
GRANT SELECT ON TABLE page_startup TO "user";
If I run this:
set session authorization "X";
select pg_has_role('user','member')
I get 't' as a result. Also, if I run this (just copying the
definition of the view):
set session authorization "X";
SELECT contact.name, contact.nickname, COALESCE(
CASE
WHEN has_table_privilege('mandate'::text, 'select'::text)
THEN ( SELECT false AS bool
FROM mandate
NATURAL JOIN task
WHERE task.waiting_for = "session_user"()::text::integer AND
task.deadline < now()
LIMIT 1)
ELSE NULL::boolean
END, true) AS no_mandates
FROM contact
WHERE contact.id = "session_user"()::text::integer;
I get the single row of data I'm looking for.
However, if I try to use the view instead of copying its definition:
set session authorization "X";
select * from page_startup
I get the following:
ERROR: permission denied for relation page_startup
********** Error **********
ERROR: permission denied for relation page_startup
SQL state: 42501
Strange, no? Any ideas why this might be?
Turns out restarting pgAdminIII somehow fixed it. I had, at some point after first encountering this error, changed the permissions of extranet_user to inherit, and the results had not changed. This morning I started up pgAdminIII, copied the code from this post, and it worked.